Hackoclipse Labs

CTF 1 Medium (More than 5 solves) Note on Environment: The environment may appear very busted, broken, or may not load correctly—this is intentional. The code is an identical mimic of the flaw encountered at the client. This includes developer non-security bugs that were present at the time. These unintentional "features" actually make the challenge harder to debug, as they reflect the exact state of the application during the original assessment.

Ctf 16 medium more then 1 answer potentially plausable be creative. This is a flaw I encountered exactly like this inside a pentest leading to a P1-P2. Can you answer it This was a black box assement but the application with the flaw in question was open source The 2 crucial details are included in the challenge You're testing a PHP application with an input field called RSS_URL. The application uses two functions for handling URLs: one for HTTP and one for HTTPS, with the scheme detected using parse_url. For example: var_dump(parse_url($url, PHP_URL_SCHEME)); // Outputs: ["scheme"] => string(4) "http" The HTTPS function runs a curl -k command using exec, allowing insecure HTTPS requests. The command is built as follows: $cmdline_params .= " -k"; exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI), $results, $return); Documentation escapeshellcmd php: https://www.php.net/manual/en/function.escapeshellcmd.php User input goes through escapeshellcmd, which escapes these characters: &, #, ;, `, |, *, ?, ~, <, >, ^, (), [], {}, $, ,, \, and special characters \x0A and \xFF. On Windows, % and ! are also escaped using a caret (^). Here’s what you also know: 1. You have read/write access to apache assigned /tmp through the Apache web server, but you can't guess what's already in /tmp. 2. open_basedir is set, restricting access to paths like /etc/passwd. 3. The server is running Apache on a Linux environment. 4. Command injection could be possible, but it might not be the primary goal of exploitation. 5. The output is only shown if the output is a legit RSS response. Other pages failed to be returned. Given that this is a curl command, can you identify other potential flaws we could trigger aside from command injection? Consider what vulnerabilities might arise due to curl handling URLs and data, and whether there are ways to leverage this setup for file manipulation, SSRF etc. Don't forget a feature to validate XML/RSS like responses are retruned "after" the exec call has executed makes it if a response is or isn't returned it tries to validate that output is really a RSS file afterwards. The code base if parse_url retruned string(4) "http" instead skips this exec instruction entirely.

CTF 17 medium-hard **UNSOLVED** (bl4ck solved this and made it into challenge): PHP Eval Privilege Escalation in a Restricted Environment Objective: Your goal is to bypass strict PHP restrictions to execute the id, ls -la /, uname -a commands, showing system information such as user identity and OS details. Additionally, to prove full access, display the output of ls /, verifying you've bypassed both the open_basedir restriction and the disabled functions. Background: This challenge emulates a real-world scenario where a restricted PHP environment was successfully bypassed. The setup uses eval() as the only functional command in PHP, while key functions like shell_exec and system are disabled, and open_basedir limits access to specific directories. This scenario represents a hardened PHP environment, often used in shared hosting or isolated containers. At the time uploading files like php file too the webserver directory was not possible so you can only use the eval() present in the existing index.php file for the full poc but for testing creating php files for simplicity is not a problem but your end poc needs to run in the preexisting index.php file sha256sum "0e2abce0725465f59425680be164276cbd58fdcfe73f0a0cd35fe23fd946932c index.php". Environment Setup:

    Download the challenge files: secure-docker-apache-7.3.33.zip. This zip file contains all necessary files to set up the Docker environment.
    Extract the zip file.
    Run the setup: docker-build-7.3.33.sh Use the included shell script with sudo privileges to build the Docker image:

    bash

    sudo bash docker-build-7.3.33.sh

    Note: Only run the docker-build-7.3.33.sh script with sudo to ensure the Docker image builds correctly with the security configuration.

Download Container Technical Configuration PHP Environment Details:

    PHP Version: 7.3.33 (Do not change this version)
    Disabled Functions: shell_exec, system, proc_open, passthru, exec, popen, pcntl_exec, proc_terminate, proc_close, posix_kill, shell_exec, system, proc_open, passthru, exec, popen, pcntl_exec, proc_terminate, proc_close, posix_kill
    open_basedir Restriction: /var/www/html (limits file access to this directory)
    Read-Only Filesystem: Most of the filesystem is read-only, enforcing stricter security.

Docker Security Configuration:

The container uses additional security measures:

    Seccomp Profile: Restricts syscalls like ptrace, mount, and kexec_load to prevent common privilege escalation techniques.
    Read-Only Mode: The filesystem is read-only, except for essential directories (/tmp and /var/run/apache2) mounted as temporary filesystems.

Challenge Instructions:

    Access the Docker container by navigating to http://localhost:8000/index.php after the setup.

Objective: Find a way to bypass the restrictions and retrieve the following outputs: id: Displays the current user’s identity and group information. uname -a: Shows detailed system information, including the operating system and kernel version. ls -la /: Lists the contents of the root directory, demonstrating full bypass of both open_basedir and disabled_functions constraints.

CTF 18 - Medium Multipayload Challenge Objective: You need to exploit stored XSS in a chat system with a 14-character message limit per message. Your goal is to trigger alert(document.domain) on the target. best record with alert(document.domain) is 5 messages, best record using instead alert(location) 4 messages. (OG poc needs to be for alert(document.domain) however if you want to fully solve it try to get in 4 messages using alert(location) instead bonus points if you solve 4 messages poc 0 click using location instead 😉 ) This is a recreation on a clients bidding system (think ebay as example) where xss was present in the nickname off account biddings witch was hardlimited to 14 chars maximum per user and biddings are in reverse order and with the clients case required a new account per bid and a typo was enough for game over, for the challange i avoided the make new account per bid part and added a reset buitton that is session bound. Key Points: - Messages are returned in reverse order. - Some HTML tags are blocked due to overwrite restrictions. - Minimize the number of messages for your proof of concept (PoC), aiming for a zero-click solution. - Use creativity with your payloads, as there’s a lot of extraneous HTML and output from other div tags. - If things go wrong, hit the red reset button to reset your session (only your session will reset). - Each session is isolated using PHP sessions, so everyone gets their own environment to work with. - Due to the reverse order, you need to carefully choose which payload "part" to send next. Reset the session if needed. - This scenario was inspired by a similar XSS vulnerability I encountered at a client with chat system restrictions.

CTF 19 - Hard Runes Challenge Objective: You need to trigger **reflective XSS** via a GET parameter named `input` while following extreme character restrictions. Your payload will be reflected inside a `<script>` tag. Max input length: **275 characters** Only special characters and Unicode runes (ᚠ to ᛿) are allowed. (hit button saying "Show all Allowed Characters in your console (Console)" at the start and open your console. No letters (a-zA-Z) or digits (0-9) permitted. Key Points: - Input is reflected unsafely in a `<script>` tag. - The only characters allowed are **Unicode runes (U+16A0–U+16FF)** and **ASCII special symbols** like `!"#$%&'()*+,-./:;<=>?@[\]^_\`{|}~` - JavaScript lets you assign rune characters as variables, like: `ᚠ = ''` - Your goal is to **build a full JS alert(1)** payload. - You cannot use `alert(1)` directly — build it dynamically using runes and special chars. - JSFuck-style logic works perfectly: []["filter"]["constructor"]("alert(1)")() or []["fil"+"ter"]["const"+"ructor"]("ale"+"rt(1)")() - You’ll need to craft every part of the string **without using letters or digits**. - If your payload doesn’t work, check the console and confirm your encoding isn’t broken by a bad rune or symbol spaces are not allowed. 👇 Click the button at the bottom of the challenge page to **see all allowed characters** in the browser console. 📚 Highly encouraged: study the full JSFuck reference or your gone have a bad time https://github.com/aemkei/jsfuck/blob/f8e0f1cc9729bd84454df2969bc1b06c3e8c3fc4/jsfuck.js https://jsfuck.com/ This challenge is inspired by the PMNH obfuscation challenge and designed to push JS logic under hard constraints.

CTF 20 - Medium User Agent XSS Challenge Objective: The goal of this challenge is to achieve stored XSS by exploiting the User-Agent input, which gets logged in the session. Specifically, you need to craft a malicious User-Agent string that will be stored in the session and executed later when retrieved. Your challenge is to trigger the execution of alert(document.domain). We use here a very commonly used User-Agent parser from PHP Symfony, so the "full" User-Agent is not exploitable directly, but after parsing, it might be. Key Points: The User-Agent input is unsafely stored in the session. You will be exploiting stored XSS to trigger a JavaScript alert on the page. You must craft a payload using only a malicious User-Agent string. The challenge utilizes a commonly used User-Agent parser — can you bypass it and inject malicious code? Ensure that alert(document.domain) is executed once your crafted User-Agent is parsed. Hints: Try starting with a simpler payload like alert`1` before advancing to the final goal. If you're using Burp Suite, make sure to pass the PHP session cookie to keep track of your session. Reset Log Button: Don’t forget to reset the log after each test to avoid confusion. Why does it say "Is a Mobile device?" for every User-Agent? This challenge aims to push your understanding of (blind) XSS from the User-Agent. If you solve it, the knowledge you gain will be very helpful with User-Agent-based blind XSS in the future. 😉

CTF 21 - Hard Keymatch Objective: The goal of this challenge is to achieve reflective XSS through the search input. Your task is to craft a query that executes alert(document.domain) on the current domain and current folder path "/ctfs/keymatch/search.php" Key Points: This is a search‑based reflective XSS challenge with a annoying very realistic twist. The search behaves like a real storefront search system. "What" you search and "how" you search can change your outcome. Only a one‑click reflective xss solution is required. Ensure that alert(document.domain) is executed from the correct folder "/ctfs/keymatch/search.php" on this domain. Hints: Your wording does affect how the response is returned on earch panels and if you dont follow there rules you dont get the result you where looking for. The desing is build arround realism and very many case studies from my career but for simplicty reasons a firewall was not added. It's very sensitive for mistakes so be very carfull encouraged starting small like with "a". If expierenced with return orientated programming (ROP) you might notice a analogy here.