Web100

Answer was ENT_QUOTES since it wasn’t specified in htmlentities() function. Without this parameter the function won’t escape single quotes (‘) leading so to a XSS under some circumstances.

http://dctf.defcamp.ro/uploads/findthebug.png


Web200 (solved by nurfed)

In this challenge they used a known open-source CMS called CMSmini where its sources can be found easily through google. The vulnerability was the unsafe redirect used which should deny to access admin/ without proper authentication. Can be bypassed just to request the page with wget/curl,etc.. By the way the flag can be obtained using this GET request:

http://10.13.37.12/cms/admin/edit.php?name=../admin/config.php

Which leads to the flag:

RosesmaysayIloveyoubutthecactussaysFuckoff


Web300

In this challenge the images provided are created by a tt.php page which takes 2 arguments, ‘w’ and ‘src’. But if you submit it without any of them you’ll see an interesting output:

TimThumb version : 1.33

Googling some vulnerabilities about this type of application I found this:

http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Which lead us to basically upload an image on the server from a “trusted source” like flickr, wordpress and photobucket. Now it’s pretty easy to upload a shell hidden in an image in photobucket since it won’t remove our payload (like wordpress do). Our supplied image will be placed in cache/external_md5(url_of_image) on the  server. But how to execute our code? On the site there was a LFI which allows us to do this:

http://10.13.37.13/?page=cache/external_f30ad69cdf4e75d97082b57257dc750a&x=ls%20-al

575b3f3f5318b2afbfe91ed860a4b10c.txt <– flag file

flag: johnnybravo

Razor4x