Write-Up

Web giraffe notes The code ban HTTP-X-Forwarded-For header, but we can use X-Forwarded-Host header to bypass it. Impersonate First, I get server_start_time by get the respone from /status page. Then, I use flask-unsign to generate a cookie with is_admin set to True and username set to administrator. Then, I send a request to the admin page with this cookie to get the flag. Code exploit: import os, requests from datetime import datetime, timedelta import hashlib import subprocess res = requests....

User flag Recon Firtsly, sea.htb is built from wondercms. You can check it by enumerating the web or searching the string velik71 appeared on the banner. Checking the /themes/bike/wcms-modules.json, I found the version of this website is 3.2.0. It has a CVE-2023-41425 that allows an attacker to a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component. I also found a contact.php page which allows us to send infomation including a malicous link to the admin....

User flag Recon Port scanning: Directory scanning: Server open a port (5000) for running a website. After scanning directories, I found 2 interesting directories : /support which we can access by For questions button. It has a form to submit a message. By checking its request, I find that it is using POST method to send data to the server. I try to send a message with a payload <h1>alert(1)</h1> and it responses a alert form which includes header of this request....

Reverse Annnnnnny-Second-Now The function super_optimized_calculation is a Fibonacci generator. To solve this chall, we just use the 90th Fibonacci number and modulo it by each number in the v6 array. Code: v6=[0]*25 v6[0] = 35831; v6[1] = 143; v6[2] = 1061; v6[3] = 877; v6[4] = 29463179; v6[5] = 229; v6[6] = 112; v6[7] = 337; v6[8] = 1061; v6[9] = 47; v6[10] = 29599; v6[11] = 145; v6[12] = 127; v6[13] = 271639; v6[14] = 127; v6[15] = 353; v6[16] = 193; v6[17] = 191; v6[18] = 337; v6[19] = 1061; v6[20] = 193; v6[21] = 353; v6[22] = 269; v6[23] = 487; v6[24] = 245; a = 2880067194370816120 & ((1<<64)-1) for i in v6: print(chr(a%i),end='') js-safe After deobfuscating the code, we can see that the function addToPassword use some operation to check the pass code....