Vysor – Web-based CTF Walk-through
Hello Guys in today’s article I am going to show how to solve Vysor – Web-based CTF so let’s start
CTF Link:- vysor (CTF is online you can try by your self )
So I started solving this CTF Challenge, and in the first stage I found this login screen, so first, I decided to see the source code of a page
and there is written login to start the CTF so I thought maybe I have to bypass the login somehow
so I thought about SQL-Injection Login Bypass and I tried some sqli login bypass payloads (Ex: 1’or’1’=’1 )
but those payloads are not working then replace the all single quote with a double quote in the payload now it looks like this (1″or”1″=”1)
and guess what this payload worked for me, and then in next stage, there is one login panel but only with password filed
I tried all sqli payloads in it but none of them are worked for me so, I decided to see the source code of a page and I found one link in the HTML comment which is a hint for this stage
I opened that link and there is PHP code of the second challenge, I started to observe the working of PHP code
and I found that ‘secret.php’ included maybe it contains some password or anything similar
that PHP code is taking user input and encrypt it into md5 I thought how I could guess the password, but later on, I read the file name of the 2nd stage and it looks similar to base64
so I decode it and I was right got the hint, the file name is “Type_jugling”
recently I read one article on PHP type juggle exploit, and I read that two different md5 strings which only contains number 0e21424 == 0e12312 PHP interpret as the same
so I guess maybe here’s also the same case so I found one number “240610708” and it’s md5 form is 0e462097431906509019562988736854 which worked for me so the password is 240610708 it’s not this only password works any string that has md5 form, as shown above, will work
so that’ how I cleared the 2nd stage and the third stage is a bit tough cause there is not given any perfect link only hint given in page source and that is “PHP has awesome filters ” and there is one fake login also for messing with players
then I thought the hint is pointing to PHP wrapper Exploits so I tried to fetch PHP source code using php:/ /filter/convert.base64-encode/resource=index.php wrapper but it didn’t worked
so I started to observe URL pattern and I found that page’s URL is not ending with .php extension, maybe programmer hard-coded the extension in PHP file
so I again pass the php wrapper for reading content of index.php but without .php extension “php ://filter/convert.base64-encode/resource=index”
and I got base64 encoded in response
then I decode that base64 string and I got content of index.php and this file also contains the flag of the challenge
that’s how I completed the CTF, thank you for reading this article, you may also like: port forwarding free