Vysor – Web-based CTF Walk-through

start

Vysor – Web-based CTF Walk-through

Hello Guys in today’s article I am going to show how to solve Vysor – Web-based CTF so let’s start

CTF Link:- vysor (CTF is online you can try by your self )

start

So I started solving this CTF Challenge, and in the first stage I found this login screen, so first, I decided to see the source code of a page

and there is written login to start the CTF so I thought maybe I have to bypass the login somehow

so I thought about SQL-Injection Login Bypass and I tried some sqli login bypass payloads (Ex: 1’or’1’=’1 )

but those payloads are not working then replace the all single quote with a double quote in the payload now it looks like this (1″or”1″=”1)

and guess what this payload worked for me, and then in next stage, there is one login panel but only with password filed

2nd round

I tried all sqli payloads in it but none  of them are worked for me so, I decided to see the source code of a page  and I found one link in the HTML comment which is a hint for this  stage

I opened that link and there is PHP code of the second challenge, I started to observe the working of PHP code

and I found that ‘secret.php’ included maybe it contains some password or anything similar

that PHP code is taking user input and encrypt it into md5 I thought how I could guess the password, but later on, I read the file name of the 2nd stage and it looks similar to base64

hint

so I decode it and I was right got the hint, the file name is “Type_jugling”

recently I read one article on PHP type juggle exploit, and I read that two different md5 strings which only contains number 0e21424 == 0e12312 PHP interpret as the same

so I guess maybe here’s also the same case so I found one number “240610708” and it’s md5 form is 0e462097431906509019562988736854 which worked for me so the password is 240610708 it’s not this only password works any string that has md5 form, as shown above, will work

so that’ how I cleared the 2nd stage and the third stage is a bit tough cause there is not given any perfect link only hint given in page source and that is “PHP has awesome filters ”  and there is one fake login also for messing with players

then I thought the hint is pointing to PHP wrapper Exploits  so I tried to fetch PHP source code using  php:/ /filter/convert.base64-encode/resource=index.php wrapper but it didn’t worked

final

so I started to observe URL pattern and I found that page’s URL is not ending with .php extension, maybe programmer hard-coded the extension in PHP file

so I again pass the php wrapper for reading content of index.php but without .php extension “php ://filter/convert.base64-encode/resource=index

got base 64

and I got base64 encoded   in response

 

then I decode that base64 string and I got content of index.php and this file also contains the flag of the challenge

decoded

that’s how I completed the CTF, thank you for reading this article,  you may also like: port forwarding free

 

 

You May Also Like

About the Author: TheCoder

Leave a Reply

Your email address will not be published. Required fields are marked *