Every CTF machine is a unique experience, and it’s important to write done what impressed you and the reason why you f*&k up, so you become a better CTF player. This note page is only serving to refresh my memory, so I don’t care about the readability.

  1. Request Content-Type
  2. sqlmap with set-cookie response page
  3. Docker Container Breakout
  4. Bash script command injection mind
  5. Linux Privilege Escalation Common Attempts
  6. One Line Reverse Shell and Interactive Shell
  7. Tricks and Common Sense

Request Content-Type

Most of the time, CTF machines will be set to give you a hint on how to proceed. For example

Here the “message” on the server’s response said “Invalid content type.” That means two things

  1. The Content-Type header at the Request part is wrong
  2. The right one should be json as the server is responding with a JSON object

So, we need to set the Content-Type on the Request side to

  1. Content-Type: application/json

sqlmap with set-cookie response page

So, suppose every time you visit a page, doesn’t matter which directory you go to, it always set a new cookie for you, which makes the brute force more difficult. To make sqlmap work in this case, we’ll need to save the Request first.

This is a POST request, before we right click to save the page, we’ll first update its Cookie from the response first, just copy and paste will be fine. Then use the -r flag in sqlmap

sqlmap -r send_post -p email –method POST –dbs –batch –level 3

Docker Container Breakout

I’ve experienced quiet some Docker Container as initial foothold, it sucks after spending so long to get the foothold and yet realized that I am in the docker. Then I’ll try to look up on https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation 99% of the time it doesn’t help.

But I do find a formula is surprisingly effective, that is to find the SSH credential, either password or private keys.

Bash script command injection mind

The key to inject command

Linux Privilege Escalation

  1. Looking for the SUID bits
    • find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
  2. If we could modify the /bin/bash’s permissions
    • cp /bin/bash /tmp/bash; chmod 6777 /tmp/bash; /tmp/bash -p

Tricks and Common Sense

  1. When you send an exploit packet and the server responded with an error, doesn’t mean the exploit is not working.