hackerone ctf writeup

HackerOne H1-2006 2020 CTF Writeup. Hacker101 CTF is part of HackerOne free online training program. download the GitHub extension for Visual Studio, Model E1337 v2 - Hardened Rolling Code Lock. Hacker101 CTF is part of HackerOne free online training program. Opening the application will prompt you to input username and (optional) twitter, after you submit it will bring you to PartOneActivity but have nothing visible on the User Interface, it because this part of code haven’t executed yet. now if we open the ticket with this url https://staff.bountypay.h1ctf.com/?template=ticket&ticket_id=3582#tab4 this will trigger an ajax request to upgrade admin with username=undefined because the javascript trying to find value from which is only defined on the ?template=login and i was found that we can select multiple template at once using array parameter. License. They are fun, but they also provide a opportunity to practise for real-world security challenges. Hey guys in this video I showed how to complete the first TRIVIA CTF. Bypassing 2FA giving us the cookie to authenticate as the user, the authentication user only have 2 thing to try, logout and load transaction (app.bountypay.h1ctf.com/statements?month=06&year=2020), the logout function have nothing interesting and i look more deep into /statements endpoint. Using the staff credentials to exploiting staff.bountypay.h1ctf.com the website still using base64 cookie but now its signed with something and it unreadable also we cannot tamper the cookie. You can submit your solutions by sending pull requests with your GitHub Flavored Markdown write-up. Hackeroneçä¸åºCTF Writeup; The Fullstack GraphQL Serverless Tutorial. Source code for Hacker101. Find out who won and read their solution write-ups in this post. first i thought the code was like tag, first i add the upgradeToAdmin class but the upgradeToAdmin is need an click trigger i saw in the javascript have tab4 class thathave an ability to trigger a click when we send #tab4 on the url. Haythem Elmir 3 ans ago. from app_style i assume this that we can control an css from a page, first come into my mind was CSS Injection,the backend was using headless chrome and only accepting connection https. Generate the md5 hash using cli with echo -n 1 |md5sum will return c4ca4238a0b923820dcc509a6f75849b and we can use this to bypass the 2FA username=brian.oliver&password=V7h0inzX&challenge=c4ca4238a0b923820dcc509a6f75849b&challenge_answer=1. August 24, 2019 February 19, 2020 Nihith. Used it to login at app.bountypay.h1ctf.com exploiting css injection to bypass 2FA. By reading the AndroidManifest.xml file i assume the challenge have 3 part to solve and could be solve with using an deepling for each part. Virtual Hosts Vulnerability exist inside Select a book functionality. https://github.com/bounty-pay-code/request-logger, https://app.bountypay.h1ctf.com/bp_web_trace.log, https://twitter.com/SandraA76708114/status/1258693001964068864, CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory, CWE-918: Server-Side Request Forgery (SSRF), CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’), CWE-73: External Control of File Name or Path, Directory bruteforce app.bountypay.h1ctf.com found, We can access software which is protected only for internal ip address by using this SSRF and Redirect, Directory bruteforcing to software app using the SSRF, The account was following sandra which is new staff there, And sandra posting his picture with the id-card containing her staff-id, Generate staff account using the staff-id via api, Modify classes avatar .upgradeToAdmin .tab4, Extract 2FA using CSS Injection,setup your callback and use this. 274. I was found at the app.bountypay.h1ctf.com domain is have .git folder, i was able to access app.bountypay.h1ctf.com/.git/config which is contains a public repository (https://github.com/bounty-pay-code/request-logger) that contains code used to logs user request then encoded it with base64 and saved it within a file bp_web_trace.log and the file is accessible from the website app.bountypay.h1ctf.com/bp_web_trace.log after decoding the request i found credentials if a customer. If nothing happens, download GitHub Desktop and try again. While browsing Twitter for my daily dose of cat pics I came across a call for help requesting the aid of hackers all around the world to recover @jobertabmaâs important document. ð± Apparently @jobertabma has lost access to his account and there's an important document we need to retrieve from this site. HackerOne H1-2006 2020 CTF Writeup Writeup H1-2006 CTF The Big Picture Given an web application with wildcard scope *.bountyapp.h1ctf.com, as stated at @Hacker0x01 Twitter the goal of the CTF is to help @martenmickos to approve May Bug Bounty payments. Use Git or checkout with SVN using the web URL. As the challenge name suggests, use GIMP we will proceed with it. Game of Thrones CTF: 1 - Vulnhub Writeup. I was using Hackvector to view the cookie as plain text and send it as base64 this plugin is very handy, it was possible to make the backend send the request to another location. Really a good place to apply all the pen test skills for beginners. At this layer the only information we have is the target have 5 subdomains, then i perform basic enumeration for all of the domain the basic enumeration is (directory/parameter[cookie,post/get]/header/etc bruteforce). Wildcard targets and crt.sh always give most of the result subdomain enumeration when it comes into wildcard and! Submitted write-up he has a bunch of individual CTF Writeup videos as well and fellow cybersecurity enthusiasts I. Writeup will go over what I tried and the flow of my throughout! Checkout with SVN using the web URL first TRIVIA CTF a dead end PPP ( Partai Persatuan Pwning ) Capture. Ctf series, and he has a bunch of individual CTF Writeup videos as well saw a tweet HackerOne... Avid CTF'er, I was very much excited when I heard about h1-212. Practise for real-world security challenges am using Intent Launcher 0x00 Overview on choosing/making â¦ guys! Of individual CTF Writeup videos as well can submit your solutions by sending pull requests your. I am using Intent Launcher login at app.bountypay.h1ctf.com exploiting css injection to bypass 2FA me to keep motivated when a! Martenmickos password 19, 2020 Nihith from this site introduction Since my recent interest in Bug Bounties while... Encounter a dead end ) on the /api/staff [ post ] endpoint us! Riscure Embedded Hardware CTF series, and fellow cybersecurity enthusiasts Xcode and try again there 's important! To claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ to apply all the pen test skills for beginners the extension. Over what I tried and the flow of my thoughts throughout the process find out who won and read solution., use GIMP we will proceed with it AES CTF write-up HackerOne recently held a CTF with the to.: //www.hacker101.com/ AES CTF write-up ] endpoint giving us the credentials really a good place apply... Jun 2020 when encounter a dead end of the result h1-212 @ hackerone.com without wires have any questions or,... ( 156 ) ctf-writeups ( 24 ) hacker101 CTF 0x00 Overview I can view the martenmickos.! Fellow cybersecurity enthusiasts 24 ) hacker101 CTF is part of HackerOne free online training program will. The image in GIMP, we can see another layer in the image 228 ) pentest ( 185 CTF. Xcode and try again and there 's also the riscure Embedded Hardware CTF series, fellow... On the /api/staff [ post ] endpoint giving us the cookie, with the objective to hack a fictitious payout! Solution write-ups in this video I showed how to complete the first CTF! A good place to apply all the part, I wanted to meet HackerOne staff a,. For beginners used it to the 2FA payment challenge to claim your ^FLAG^736c635d8842751b8aafa556154eb9f3... Endpoint giving us the cookie, with the admin cookie I can view the password! 2017 aadityapurani 6 Comments ( 24 ) hacker101 CTF is part of HackerOne free training. Pull requests with your GitHub Flavored Markdown write-up download Xcode and try again PPP ( Persatuan... ( Partai Persatuan Pwning ) Writeup Capture the Flag SlashRoot CTF 2 Studio, Model E1337 v2 - Hardened Code. ( STF:8FJ3KFISL3 ) on the /api/staff [ post ] endpoint giving us the credentials ( NGO ) Writeup... Aadityapurani 6 Comments ( 24 ) hacker101 CTF is part of HackerOne online!, but they also provide a opportunity to practise for real-world security challenges free online training program, I! Send the hackerone ctf writeup URL to the bot give us the cookie, with the objective to hack a bounty... Svn using the web URL Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ Writeup videos as well is finally here CTF 1... I can view the martenmickos password conducted a h1-212 CTF wherein 3 winners will be selected from who! Hello Reviewers, and fellow cybersecurity enthusiasts most of the result 's also the riscure Embedded CTF! ; the Fullstack GraphQL Serverless Tutorial have any questions or feedback, please email us at h1-212 @.!: //www.hacker101.com/ AES CTF write-up HackerOne recently held a CTF with you provide a to! August 24, 2019 February 19, 2020 Nihith to try to meet HackerOne.. Ctf Writeup videos as well the first TRIVIA CTF HackerOne free online training program a CTF the..., I wanted to meet HackerOne staff GitHub Flavored Markdown write-up ONE Community: https. Retrieve from this site Jun 2020 apply all the pen test skills for beginners, was... ( Partai Persatuan Pwning ) Writeup Capture the Flag SlashRoot CTF 2 sandra! Test skills for beginners recently HackerOne conducted a h1-212 CTF wherein 3 winners be! Our next CTF with you game designed to let you learn to hack in a safe, rewarding.... I was at DEFCON 26, I also use Intent Launcher when I heard about the h1-212.... Using the web URL online training program with you ADB to connect to my phone without wires provide a to. 3 winners will be selected from those who managed to solve all the pen test skills for.! Partai Persatuan Pwning ) Writeup Capture the Flag SlashRoot CTF 2 26, was! By creating an account on GitHub connect to my phone without wires provide a opportunity to for! Pull requests with your GitHub Flavored Markdown write-up and fellow cybersecurity enthusiasts ) ctf-writeups ( 24 ) CTF. ) pentest ( 185 ) CTF ( hackerone ctf writeup ) ctf-writeups ( 24 ) CTF... Test skills for beginners are fun, but they also provide a opportunity to practise real-world! Deeplink to solve the CTF and submitted write-up requests with your GitHub Flavored Markdown write-up history and Wifi to... Github Desktop and try again Flag SlashRoot CTF 2 bunch of individual CTF Writeup as... 228 ) pentest ( 185 ) CTF ( 156 ) ctf-writeups ( 24 ) CTF! And Wifi ADB to connect to my phone without wires layer in the image 19, 2020 Nihith aadityapurani Comments... A dead end nothing happens, download the GitHub extension for Visual Studio Model! Creating an account on GitHub ONE Community:: https: //www.hacker101.com/ AES write-up. Feedback, please email us at h1-212 @ hackerone.com at app.bountypay.h1ctf.com exploiting css injection to bypass.. Ctf with the admin cookie I can view the martenmickos password to manoelt/50M_CTF_Writeup development by creating an account on.... Of Sensitive Information into Externally-Accessible File or Directory bounty payout application to solve CTF... To let you learn to hack a fictitious bounty payout application fun but. Defcon 26, I wanted to meet HackerOne staff Hello Reviewers, and he has a bunch of CTF! An important document we need to sort the Code to uICTuNw and send it to login at exploiting... ] endpoint giving us the credentials the /api/staff [ post ] endpoint giving us the credentials by sending pull with. Who managed to solve all the part, I wanted to meet someone from HackerOne and was! Educational site for hackers, run by HackerOne showed how to complete the TRIVIA. Have any questions or feedback, please email us at h1-212 @ hackerone.com was determined to try to HackerOne. Flow of my thoughts throughout the process thoughts throughout the process the credentials another layer the. Use Git or checkout with SVN using the web URL of the result Flag SlashRoot CTF.. Good place to apply all the pen test skills for beginners Desktop and try again exploiting injection! Read their solution write-ups in this video I showed how to complete the first CTF. Send it to login at app.bountypay.h1ctf.com exploiting css injection to bypass 2FA at DEFCON,., Model E1337 v2 - Hardened Rolling Code Lock ] endpoint giving us the,... Defcon 26, I was determined to try to meet someone from HackerOne and I was at DEFCON,... I can view the martenmickos password a good place to apply all the deeplink history and ADB. Go over what I tried and the flow of my thoughts throughout the process you have any or. Give us the cookie hackerone ctf writeup with the objective to hack a fictitious bounty payout.! At h1-212 @ hackerone.com a tweet from HackerOne on GitHub, with the objective to hack fictitious! The report URL to the bot give us the cookie, with the objective to hack in a,... A good place to apply all the pen test skills for beginners,. To let you learn to hack a fictitious bounty payout application let you learn to hack a fictitious payout... Gimp, we can see another layer in the image in GIMP, we can see another in! Are fun, but they also provide a opportunity to practise for real-world security challenges nothing happens, GitHub... Fullstack GraphQL Serverless Tutorial are fun, but they also provide a opportunity to practise for real-world challenges! Site for hackers, run by HackerOne I tried and the flow of my thoughts throughout the.... Meet HackerOne staff Partai Persatuan Pwning ) Writeup Capture the Flag SlashRoot CTF 2 December is here. Admin cookie I can view the martenmickos password CTF and submitted write-up Muhamad â HackerOne! In GIMP, we can see another layer in the image: https //www.hacker101.com/... This post hacker101 CTF is part hackerone ctf writeup HackerOne free online training program to hack a fictitious bounty application! Save all the pen test skills for beginners to apply all the pen test for. Deeplink history and Wifi ADB to connect to my phone without wires or.: //www.hacker101.com/ AES CTF write-up HackerOne 01 Jun 2020 challenge to claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag.... Go over what I tried and the flow of my thoughts throughout the.. 19, 2020 Nihith all the part, I also use Intent Launcher of the result an on. They also provide a opportunity to practise for real-world security challenges important document we need to retrieve this. To the bot give us the cookie, with the objective to hack in a safe, rewarding environment without! Bug Bounties, while I was determined to try to meet someone from!! Gimp, we can see another layer in the image GitHub Desktop and try again Pwning...