corrected paths to images - all writeups

Author: bl4de

2015/ASIS_CTF_2015/Biglie_Forensic_100_writeup.md

@@ -26,8 +26,7 @@ It returns us encrypted pastebin:
 
 {"iv":"adzR1bn929d5vf53R6BuDg","salt":"4SYEnmaSS58","ct":"J7QU491qMea5JTkR1y5MSH/UBp5QHIjHq7PeRRaqYn/rPsY1h1wiPbFp/gMufQ1w"}
 
-![Pastebin]
-(https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-packet.png)
+![Pastebin](https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-packet.png)
 
 To see decrypted content, we need to figure out what the key was used.
 
@@ -39,8 +38,7 @@ When we take a look at pcap file, we can find requests to some web statistic too
 
 We can see key used to encrypt this pastebin - *-krvZ7lGwZ4e2JQ8n+3dfsMBqyN6Xk6SUzY7i0JKbpo*
 
-![Piwik request]
-(https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-packet-to-piwik-with-flag.png)
+![Piwik request](https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-packet-to-piwik-with-flag.png)
 
 After use this key we can reveal decrypted content of pastebin:
 
@@ -82,9 +80,7 @@ http://0bin.asis.io/paste/1ThAoKv4#Zz-nHPnr0vGGg3s/7/RWD2pnZPZl580x9Y2G3IUehfc
 
 Last one contains the flag as an ASCII graphic:
 
-![Flag]
-(https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-flag.png)
+![Flag](https://github.com/bl4de/ctf/blob/master/2015/ASIS_CTF_2015/Biglie_Forensic100/biglie-flag.png)
 
 After completing all lines in one file, we can read the flag:
 
-*ASIS{e29a3ef6f1d71d04c5f107eb3c64bbbb}*

2015/CSAW_CTF_2015/LawnCareimulator_Web200_writeup.md

@@ -4,8 +4,7 @@
 
 Lawn Care Simulator is a simple web application to show how the grass is growing. Yeah, ok. It has premium content, but it requires registration. Registration not working and there's no way to log in as we can't register any account.
 
-![Lawn Care Simulator]
-(https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare01.png)
+![Lawn Care Simulator](https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare01.png)
 
 
 ## Solution
@@ -97,8 +96,7 @@ So when we try to register with username eg. '%%', we see this screen:
 
 We have existing username, now we have to try to find the password.
 
-![Got username]
-(https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare02.png)
+![Got username](https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare02.png)
 
 
 ### Phase 3 - bruteforce password validation
@@ -249,8 +247,7 @@ time for 9 - 3.290462
 
 After *667e217666* time of responses stopped to change, so I've decided to try only with this (I've added some random chars to get 32 characters length of the whole hash) - and it was enough:
 
-![Grab the flag]
-(https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare03.png)
+![Grab the flag](https://github.com/bl4de/ctf/blob/master/2015/CSAW_CTF_2015/Lawn_Care_Simulator_web200/lawncare03.png)
 
 
 And the flag was: *gr0wth__h4ck!nG!1!1!*
@@ -269,4 +266,3 @@ And totaly different and much more straightforward from _Alpackers_:
 https://github.com/Alpackers/CTF-Writeups/tree/master/2015/CSAW-CTF/Web/Lawn-Care-Simulator
 
 
-

2015/HACK.LU_CTF_2015/Module_Loader_Web100_writeup.md

@@ -11,13 +11,11 @@ Since his students never know what date it is and how much time they have until
 
 We get simple web application with two available options:
 
-![Welcome screen]
-(https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader1.png)
+![Welcome screen](https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader1.png)
 
 After quick research there's an obvious LFI (Local File Include)
 
-![LFI]
-(https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader2.png)
+![LFI](https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader2.png)
 
 We can include any file using url:
 
@@ -61,17 +59,14 @@ Also, we can display _.htaccess_, which contains some directory with quite "obvi
 
 Let's take a look there and here we go:
 
-![3cdcf3c63dc02f8e5c230943d9f1f4d75a4d88ae content]
-(https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader3.png)
+![3cdcf3c63dc02f8e5c230943d9f1f4d75a4d88ae content](https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader3.png)
 
 
 Last thing is to use LFI and see, what's in flag.php file:
 
-![Flag]
-(https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader4.png)
+![Flag](https://github.com/bl4de/ctf/blob/master/2015/HACK.LU_CTF_2015/Module_Loader_web100/Module_Loader4.png)
 
 
 school.fluxfingers.net:1522/?module=../3cdcf3c63dc02f8e5c230943d9f1f4d75a4d88ae/flag.php
 
 
-flag{hidden_is_not_actually_hidden}

2015/MMACTF_2015/Uploader_Web100.md

@@ -17,8 +17,7 @@ You can only upload files whose name is matched by /^[a-zA-Z0-9]+\.[a-zA-Z0-9]+$
 
 Web page contains only one simple upload form:
 
-![Uploader task]
-(https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader1.png)
+![Uploader task](https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader1.png)
 
 Each file is accesible after uploading, so we can try to upload some simple shell to find the flag, which should be placed somewhere on the server.
 
@@ -53,17 +52,14 @@ This won't work in the future versions of PHP, as from PHP 7 ASP tags and _scrip
 
 After uploading the shell, let's take a look around:
 
-![ls -lA executed in /]
-(https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader2.png)
+![ls -lA executed in /](https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader2.png)
 
 We can see file named _flag_ in the root directory of the server.
 
 We can execute _cat flag_ command via the shell and catch the flag:
 
-![Flag]
-(https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader3.png)
+![Flag](https://github.com/bl4de/ctf/blob/master/2015/MMACTF_2015/uploader3.png)
 
 
 ## Links
 
-http://php.net/manual/en/language.basic-syntax.phptags.php

2016/CSAW_CTF_2016/mfw/mfw_web125.md

@@ -9,25 +9,22 @@ http://web.chal.csaw.io:8000/
 
 We get simple website, build with PHP, Bootstrap and with Git. Url looks vulnerable for Local File Include and Directory Traversal, but couple of standards payloads returned only "Detected hacking attempt!" or "That file doesn't exist!" messages.  
 
-![Screen caption]
-(assets/mfw2.png)
+![Screen caption](assets/mfw2.png)
 
 
 ### Digging into .git folder
 
 Abandoned, readable .git folder is a gold mine. Access to one in this challenge wasn't restricted in any way, I could easily navigate through all folders and files using web browser:
 
-![Git]
-(assets/mfw3.png)
+![Git](assets/mfw3.png)
 
 But I wanted source code to find out the way to exploit LFI or Directory Traversal, so with little help of my own tool, **diggit** (https://github.com/bl4de/security-tools/tree/master/diggit) I downloaded sources:
 
 ```
 $ ./diggit.py -u http://web.chal.csaw.io:8000/ -t /Users/bl4de/hacking/ctf/2016/CSAW_CTF_2016/mfw -r true -o 7a0a66bbc50a8fdb83909b79c328bff4596f71ed
 ```
 
-![diggit in action]
-(assets/mfw6.png)
+![diggit in action](assets/mfw6.png)
 
 I checked the file ```flag.php``` (I found commented link to it earlier, when I was checking HTML source of website), but it does not contain anything interesting, except comment ```//TODO``` - and that was crucial information to find the solution of this challenge, but more on this later:
 
@@ -148,14 +145,12 @@ If you are able to display such output, use option 'View source' in your browser
 
 Here's an output from previous payload directly in the browser tab (interpreted as regular HTML, which is very hard to read, not what we want to see):
 
-![command as HTML]
-(assets/output1.png)
+![command as HTML](assets/output1.png)
 
 
 And here's how it looks like when 'View source' option is used instead:
 
-![command as HTML]
-(assets/output2.png)
+![command as HTML](assets/output2.png)
 
 --
 
@@ -180,8 +175,7 @@ Bingo!
 
 
 
-![git status]
-(assets/mfw7.png)
+![git status](assets/mfw7.png)
 
 ```flag.php``` was modified, but no changes were added to commit and commited, so file I've downloaded earlier didn't contain newest changes.
 
@@ -194,8 +188,7 @@ view-source:http://web.chal.csaw.io:8000/?page='.system("cd /var/www/html/;git d
 
 And here we are:
 
-![Flag]
-(assets/mfw5.png)
+![Flag](assets/mfw5.png)
 
 
 The flag:
@@ -204,13 +197,11 @@ The flag:
 <?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
 ```
 
-![git diff FTW!!!]
-(assets/gitdiff.png)
+![git diff FTW!!!](assets/gitdiff.png)
 
 --
 
 I had a lot of fun with this challenge, even if it was relatively simple. It contains a lot of obvious vulnerabilities like (potential) LFI with Directory Traversal and (fully exploitable) RCE, but in the end the solution turned into Git and some Git commands knowledge.
 
 Thanks to CSAW Team for great CTF this year!
 
-Looking forward for CSAW CTF 2017 :)

2016/Google_CTF_2016/Ernst_Echidna_Web_50/README.md

@@ -9,13 +9,11 @@ Can you hack (url provided) website? The robots.txt sure looks interesting.
 
 We've got simple web page, which allows us to register an account:
 
-![Ernst Echidna]
-(assets/1.png)
+![Ernst Echidna](assets/1.png)
 
 Register form:
 
-![Ernst Echidna]
-(assets/2.png)
+![Ernst Echidna](assets/2.png)
 
 _robots.txt_ reveals one hidden path:
 
@@ -27,16 +25,13 @@ At above url there's hidden administration panel and we need to has administrati
 
 After successful registration a cookie with MD5 hash of our login is set:
 
-![Ernst Echidna]
-(assets/3.png)
+![Ernst Echidna](assets/3.png)
 
 Simple change cookie content to MD5('admin') and refreshing browser tab allows to access panel:
 
-![Ernst Echidna]
-(assets/4.png)
+![Ernst Echidna](assets/4.png)
 
 
 ...and reveals the flag:
 
-![Ernst Echidna]
-(assets/5.png)
+![Ernst Echidna](assets/5.png)

2016/Google_CTF_2016/In_Recorded_Conversation_Forensic_25/README.md

@@ -27,4 +27,3 @@ And we can simply collect fragments of the flag:
 
 ```
 CTF{some_leaks_are_good_leaks_}
-```

2016/Google_CTF_2016/Spotted_Quoll_Web_50/README.md

@@ -9,16 +9,14 @@ This blog on Zombie research looks like it might be interesting - can you break
 
 We get web page with quite simple interface:
 
-![Spotted Quoll]
-(assets/1.png)
+![Spotted Quoll](assets/1.png)
 
 We have no access to _Admin_
 
 
 Quick look at request headers shows Cookie header contains long Base64 string:
 
-![Spotted Quoll]
-(assets/2.png)
+![Spotted Quoll](assets/2.png)
 
 String contains Python Pickle module object.
 
@@ -46,4 +44,3 @@ c2 = base64.b64encode(cPickle.dumps(n))
 ```
 
 Simple change of _obsoletePickle_ cookie allows us to access Admin and read the flag.
-

2016/Google_CTF_2016/Wallowing_Wallabies_Web_25/README.md

@@ -9,8 +9,7 @@ Wallowing Wallabies provides enterprise contract management - we'd like to find
 
 We've got web page with no visible navigation or form except Home page:
 
-![Wallowing Wallabies]
-(assets/1.png)
+![Wallowing Wallabies](assets/1.png)
 
 Quick look at _robots.txt_ reveals some hidden content:
 
@@ -30,8 +29,7 @@ Disallow: /deep-blue-sea/team/vendors
 
 Web page at _/deep-blue-sea/team/vendors_ contains form with two fields:
 
-![Wallowing Wallabies]
-(assets/2.png)
+![Wallowing Wallabies](assets/2.png)
 
 Text field was vulnerable to XSS and allows to put payload with simple JavaScript to steal cookie:
 
@@ -63,11 +61,8 @@ After a couple of minutes someone "read" message and _cookies.txt_ file on _swor
 green-mountains=eyJub25jZSI6ImUxNjgwMjcyYTcxNDE3MjMiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vdmVuZG9ycy4qJCIsImV4cGlyeSI6MTQ2MjAzMTg2OH0=|1462031865|d985a99f12846cd73da3b9b01b3b921fd15512e3
 ```
 
-![Wallowing Wallabies]
-(assets/3.png)
+![Wallowing Wallabies](assets/3.png)
 
 Refresh of Wallowing Wallabies page with stolen cookie revealed the flag:
 
-![Wallowing Wallabies]
-(assets/4.png)
-
+![Wallowing Wallabies](assets/4.png)

2016/HackIM_2016/Unicle_Web200/Unicle_Web200_writeup.md

@@ -6,8 +6,7 @@ OSaaS is the new trend for 2016! Store your object directly in the cloud. Get ri
 
 http://54.84.124.93/
 
-![Unicle application]
-(unicle01.png)
+![Unicle application](unicle01.png)
 
 ## Solution
 
@@ -29,8 +28,7 @@ After some attempts to read eg. MySQL version via _version()_ I've realized that
 http://54.84.124.93/?cat=2+union+select+1,2,%22aaa%22,4/**/
 ```
 
-![SQLi]
-(unicle02.png)
+![SQLi](unicle02.png)
 
 That was something new for me, so I've tried some other payloads:
 
@@ -99,8 +97,7 @@ http://54.84.124.93/?cat=1+and+1=2+union+select+1,2,%22c__builtin__%0Aeval%0A%28
 
 And a result in Burp Repeater:
 
-![ls -l result]
-(unicle04.png)
+![ls -l result](unicle04.png)
 
 
 So there's a _flag_ file directly in _/var/www_ directory, so let's get it!
@@ -114,8 +111,7 @@ http://54.84.124.93/?cat=1+and+1=2+union+select+1,2,%22c__builtin__%0Aeval%0A%28
 And the flag is:
 
 
-![flag]
-(unicle_flag.png)
+![flag](unicle_flag.png)
 
 ## Summary
 
@@ -134,4 +130,3 @@ Flask
 http://flask.pocoo.org/
 
 SQLAlchemy		
-http://flask-sqlalchemy.pocoo.org/2.1/