Challenge Info Description: NotCloudeFlare have been informed of a new up and coming rival CDN, Jasons Image Hosting. They want you to try and hack your way in >:) Category: Web Difficulty: Hard Author: xesh Challenge Link: https://github.com/DownUnderCTF/Challenges_2021_Public/tree/main/web/jasons_proxy The Challenge Upon loading the challenge application, we’re presented with a basic front-page with a few images and a link stating that the flag will be located at /admin/flag. Attempting to browse to this page directly results in a standard Unauthorisedresponse as shown below.

Table of Contents What is rConfig? Discovery What was the root cause of this bug? Proof of Concept Disclosure timeline What is rConfig? rConfig is an open source PHP web application that allows for device configuration management, it is commonly used within corporate internal networks that are looking for easy management of network connected devices. Discovery The discovery of this bug was very straight forward and simple, the bug should be obvious in both white and black box scenarios.

Challenge Info Category: Web Points: 500 (Dynamic scoring) Description: We created a new cool service that allows you to share your images with everyone (it's on beta now)! The only thing you need to share something is an Image Description!Happy sharing! https://img.ctf.bz/ The Challenge When visiting the page, you’re prompted to login with credentials or login via Dropbox, I didn’t know any creds or see a sign-up page so I logged in using dropbox.

Challenge Info Category: Web Points: 500 (Dynamic scoring) Description: Hack some bank for me. http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/ Useful Resources https://resources.infosecinstitute.com/soap-attack-2/ https://riseandhack.blogspot.com/2015/02/xml-injection-soap-injection-notes.html The Challenge Visiting the site we can see that the website is some type of bank, also we see “Sign-In” and “Sign-Up” pages, so we can make an account and login. There are then 5 main pages once authenticated: Profile, Menu, Transfer, VIP and For Developers: Profile - Lists your full name, bank ID and bank balance Menu - “Welcome to Piggy-Bank!

Challenge Info Category: Web Points: 1000 (Dynamic scoring, goes down when more people solve it) Description: "77777" is my girlfriend's nickname，have fun xdd:) hk node: http://47.75.14.48 cn node: http://47.97.168.223 (Two challenge servers are identical, use either of them.) The Challenge Upon visiting the site we’re shown two very big hints, U can update my points in Profile. and And the flag is admin's password :). Visiting the rest of the pages we can see the profile which just simply displays the amount of points they have, on the some code page we get a screenshot of the code running in the background, and on the some info page we get a screenshot which displays what software is running on the server.