Back in 2018, me and some friends took part to the Reply Cyber Security Challenge. Unfortunately we were not able to reach our goal and the last position of the leaderboard was far from us but I got the weird idea to replicate their web challenges so that they can be exploited and studied locally.
Please be aware that this was a "black box" exercise therefore they are not supposed to be 100% accurate but the aim is to provide the same vulnerability and exploitation methods.
¯\_(ツ)_/¯ It worked on my machine ¯\_(ツ)_/¯
...but I'm open to receive suggestions for improvement.
For some reason I do not recall, I used PHP for this project... Probably because it was easy to get vulnerable code with it or because I had too much spare time.
Below descriptions are based on how challenges have been solved by the team, therefore there may be other solutions and vulnerabilities that I am not aware of or additional vulnerabilities may have been introduced without noticing them.
A simple puzzle on HTML source code and base64 encodings.
A challenge about Javascript deobfuscation and cyphering.
Kudos to @gx1 for solving this (https://github.com/giper45)
A challenge about XXE and command injection vulnerabilities.
Kudos to @gx1 for helping me with the XXE attack (https://github.com/giper45)
A challenge about hard filtered SQL injection vulnerabilities.
A challenge about path traversal vulnerabilities.
I did not replicated this one, but I do not remember for which reason.
@Reply: If you ever happen to see this, please give me a sandbox of this challenge so that I can create its replica :)
thedead@asian:~$ whoami
Andrea Lamonato
System Security Specialist & SSRI Student
Github: https://github.com/LamonatoAndrea
Linkedin: https://www.linkedin.com/in/andrea-lamonato/
Hobbies list as of today:
➤ Automate boring stuffs ⌨ Code everything!
➤ Capture The Flag ⚑ Thank you #ReplyChallenges
➤ Counter-attack attackers ✉ I love Spammers ♥
➤ Enthusiasm ヅ Share the 2020 mood
➤ Music ♪ I play Guitar \m/...(>.<)...\m/
➤ Networks ␖ Trying to turn my home into a datacenter
➤ Sports ⚽ Currently learning skate!
Repository shared in honor of a sentence from a friend: "compartir es vivir"