YesWeHack

Challenges:

Sqlite3
Dojo #6``` '##::: ##::'#######:::'######:::'#######::'##::::'##:'##::::'##:'########:'##::: ##:'########::'######:: ###:: ##:'##.... ##:'##... ##:'##.... ##: ###::'###: ###::'###: ##.....:: ###:: ##:... ##..::'##... ##: ####: ##: ##:::: ##: ##:::..:: ##:::: ##: ####'####: ####'####: ##::::::: ####: ##:::: ##:::: ##:::..:: ## ## ##: ##:::: ##: ##::::::: ##:::: ##: ## ### ##: ## ### ##: ######::: ## ## ##:::: ##::::. ######:: ##. ####: ##:::: ##: ##::::::: ##:::: ##: ##. #: ##: ##. #: ##: ##...:::: ##. ####:::: ##:::::..... ##: ##:. ###: ##:::: ##: ##::: ##: ##:::: ##: ##:.:: ##: ##:.:: ##: ##::::::: ##:. ###:::: ##::::'##::: ##: ##::. ##:. #######::. ######::. #######:: ##:::: ##: ##:::: ##: ########: ##::. ##:::: ##::::. ######:: ..::::..:::.......::::......::::.......:::..:::::..::..:::::..::........::..::::..:::::..::::::......::: ``` The admin password had leaked, everybody is puzzled as they thought this SQlite Database inputs were properly sanitized. Later we had a contact with the Hacker responsible for the breach so we asked him how he had been able to pull this password He replied: "NO COMMENTS, NO PROBLEMS" Will you be 197 enough to build a working injection to recover the admin password from the users table? ### Goal: - Get the password of the user named `admin` - Single Query (not blind)
Last Update: 2/26/2024, 1:27 PM
Sqlite3
Dojo #16# Blind SQL Injection hardstuck in the LIMIT statment - DOJO #16 (Until 01/04/2022) Submit your solution [HERE](https://yeswehack.com/programs/dojo) for a chance to win an exclusive swag pack! :D ## Description This code runs a SQL statment where it collects some data from the table `users` with a `LIMIT` statment that is controlled by user input. *What can go wrong* ?! :) ... Most of the time when your able to inject a value inside the `LIMIT` statment. The backend code checks if the user input is an (int) type. Ex: `(int) LIMIT = $nr`. This makes it a lot harder to exploit. Does this code really filter the user input to (int) type values? ;) ## Hint * Space is almost never needed when you got a keyboard full of special chars anyway. You will be suprised how much you can do with the "*limitation*" your facing. *Be creative, your a hacker, aren't you?* Use this when you stuck! [- -Help](https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html) [- -Execute](http://asciivalue.com/) **Links** * [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection) - **OWASP, "SQL Injection"** * [https://portswigger.net/web-security/sql-injection/cheat-sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) - **Portswigger, "SQL injection cheat sheet"** * [https://www.sqlite.org/docs.html](https://www.sqlite.org/docs.html) - **Sqlite, "SQLite Documentation"** ## Goal - Get the `password` from the admin user who has the `id = 1` ## Rules - BruteForce is **NOT** allowed.
Last Update: 2/26/2024, 11:26 AM
Sqlite3
Dojo #21# EvilTwin-Admin - DOJO #21 (Until 10/02/2023) ## Hint ~ One has to be the first, right? :) [**- -Documentation**](https://www.sqlite.org/docs.html) [**- -Help**](https://www.sqlitetutorial.net/sqlite-string-functions/) [**- -SuperHint**](https://sqlite.org/forum/forume2?fpid=79dc039e21) ## GOAL > BRUTE FORCE IS NOT ALLOWED! The valid solutions for the `SQL Logic Vulnerability` must meet this requirement: - The SQL result should show `your newly created user` instead of the user `admin`. - Your user __must__ be the only user inside the `===(RESULT)==` result. (*"ERROR": "SqliteError: unrecognized token: \"x'$passwd'\"" is **not** a challenge error*) --- ## Story time [DOJO #19...](https://dojo-yeswehack.com/practice/f79d5c5050e2) Developer Jeff returned to the office on Monday after a long weekend of partying and beer. He still has a hangover, but he was strong and managed to secure the SQL statement (*The database only leaked 62 times*.) From now on, Jeff doesn't trust user input and limited the administrator access to **one** employee only.
Last Update: 2/26/2024, 11:25 AM
Sqlite3
Dojo #19# The not so limited blind SQL injection - DOJO #19 (Until 01/12/2022) ## Hint ~ *Sometimes the selected column quantity does not limit the injection output!* *psssst* *The password is in a `FLAG{}` format!* [**- -Help**](https://portswigger.net/web-security/sql-injection/cheat-sheet) ## GOAL > BRUTE FORCE IS NOT ALLOWED! The valid solution for the **SQL injection** must meet these requirements: - **Be able to extract the `email` and `password` for the user `admin`.** - **The SQL injection should output the data to the screen! ;)** ### Example output: Email: `AdminName@yeswehack.com` Password: `FLAG{_Pa$$w0rd123_}` --- ## Story time Developer Jeff rushed to make an SQL statement before the Friday beer! He left the office early and forgot that the newly written SQL code was public. This will be more than just a bad hangover for Jeff!
Last Update: 2/26/2024, 11:10 AM
Sqlite3
Dojo #26# SQLovin - DOJO #26 (Until 01/09/2023) **How to submit your report** 1. Visit the DOJO program at https://yeswehack.com/programs/dojo 2. Click on Submit report 3. Login or create your account 4. Submit your report --- ## Hint ~ *This challenge relies a lot on creativity, SQLite(true+true+true) functions are a big advantage!* [**- -Help**](https://www.sqlite.org/lang_corefunc.html) ## GOAL > BRUTE FORCE IS NOT ALLOWED! ### The valid solution to the challenge must meet these requirements: 1. perform a SQL injection that changes the email address `CatchMe@gmail.com` to `McLovin@gmail.com` for the fake McLovin user! 2. The report **MUST** include `your payload` and a `proof of concept (*image*)` that the email has been changed by your payload.
Last Update: 2/26/2024, 10:52 AM
Xss
Dojo #3### Adult website This adult website contains explicit pictures behind a strong identity check. Can you find the XSS ? Goal: `alert(window.name)`
Last Update: 2/26/2024, 10:43 AM
Xss
Dojo #5### Adult website This adult website contains explicit pictures behind a strong identity check. Because of previous XSS exploit, the admin updated the security. Are you still able to exploit the XSS ? Goal: `alert(window.name)`
Last Update: 2/26/2024, 10:42 AM
Xss
Dojo #13# \_\_proto\_\_ without \_\_proto\_\_ - DOJO #13 ## CHALL - _We all know how prototype works, but, is this really a proto here?_ ## GOAL - Find a way to execute your payload in the _$config_ parameter and pop an alert(). **BRUTE FORCE IS NOT ALLOWED**
Last Update: 2/26/2024, 10:42 AM
Xss
Dojo #7## WAF WAF - DOJO #7 _EvilCorp2.0 has developed a new "oversecurednextgen WAF" to prevent a malicious script to be executed. They think this WAF can block every payloads to avoids XSS._ Do you think you can find a way to bypass this WAF? **BRUTEFORCE IS NOT ALLOWED**
Last Update: 2/26/2024, 10:42 AM
Xss
Dojo #12# EVENTTARGET IS EVERYWHERE - DOJO #12 ## Chall _If only it were possible to use the password field to get the FLAG..._ ## GOAL - Trigger the right EventTarget to obtain the secret FLAG. **BRUTE FORCE IS NOT ALLOWED**
Last Update: 2/26/2024, 10:41 AM
Xss
Dojo #14# BUBBLE HOISTING - DOJO #14 (Until 22/10/2021) ## CHALL - Do you know how _Hoisting_ works? ## HINT - [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting) ; ## GOAL - Find a way to get the FLAG{}. **BRUTE FORCE IS NOT ALLOWED** _This DOJO was created by a community member! Want to create your own and publish it here? Send us a message on [Twitter](https://twitter.com/yeswehack)!_
Last Update: 2/26/2024, 10:41 AM
Xss
Dojo #15# Web Application Firewall bypass - DOJO #15 (Until 25/02/2022) ## HINT It's good to have an understanding how firewall and browsers handle user input! * [https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf](https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf) - "Cloudflare", What is a WAF? * [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions) - "Mozilla", Regular expressions * [https://portswigger.net/research/xss-without-parentheses-and-semi-colons](https://portswigger.net/research/xss-without-parentheses-and-semi-colons) - "Gareth Heyes", XSS without parentheses and semi-colons ## CHALL * Tell me a WAF that never been bypassed..? ## GOAL ### Find a way to inject JavaScript and change the value of "settings.user" to "Admin". * BRUTE FORCE IS NOT ALLOWED! **The valid solutions for the *Cross site scripting* (XSS) payload should meet all these requirements** * Be able to outbreak the "**alt**" and execute JavaScript. * Change the value of the JavaScript variable "**settings.user**" to "Admin". * Output the changed value of "**settings.user**" as a JavaScript *alert*/*popup display* **or** inside the developer console in your browser. It's **NOT** valid if it's outputted in the HTML source code. Just to make it a bit harder! ;) ## To verify the value changed correctly If your unsure if your payload changed the variable "settings.user". Uncomment the HTML code at the bottom to check! Click the "pen icon" to the left to be able to uncomment. If **your** output of the value (*alert*/*console*) output is "**Admin**" and the last alert you uncommented also outputs "**Admin**". You then solved the challenge! --- ## Story time Brumens just got hired at EvilCorp as a tester. Hes first task was to setup the web application firewall (WAF). He begin to configure the firewall to filter every kind of user input. He was to lazy to actually add some filter to the backend. He thought it was good enough to just have a firewall. In the middle of the process he spilled his coffee at the keyboard by mistake and forgot to do the configuration properly. Luckily Tyrell wasen't at the office... ~ So if you exploit this XSS bug. Don't report it to Tyrell. I probably get fired! :P ### I wish you luck! /*Brumens* _This DOJO was created by a community member! Want to create your own and publish it here? Send us a message on [Twitter](https://twitter.com/yeswehack)!_
Last Update: 2/26/2024, 10:40 AM
Xss
Dojo #17# XSS that won't listen - DOJO #17 _LeHack edition_ (Until 10/06/2022) _This is a special DOJO challenge for "Le Hack", one of the biggest hack events from 24 to 25 June 2022, with a Live Bug Bounty on site_ - 5 tickets to be won (transport and accommodation not included) - Make sure you can come to LeHack by your own way ### Submit your solution here: [yeswehack.com/programs/dojo](https://yeswehack.com/programs/dojo) ## Description This code runs a JavaScript code inside a script that craft a "secret" variable. Use this when you stuck! [- -Help](https://blog.logrocket.com/how-browser-rendering-works-behind-scenes/) **Links** * [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/) - **OWASP, "Cross Site Scripting (XSS)* * [https://www.w3schools.com/tags/tag_script.asp](https://www.w3schools.com/tags/tag_script.asp) - **W3schools., "HTML <script> Tag"** ## Goal Execute Javascript (XSS) and alert (popup) the value of the original variable `secret`. **Requirement for a valid solve:** * Alert (popup) the *value* of the original variable `secret` ## Rules [ **!** ] BruteForce/Scanners is **NOT** allowed [ **!** ] Do **NOT** create a any new variable of any kind. The original variable **secret** should only be used in your payload. ~ Good Luck!
Last Update: 2/26/2024, 10:40 AM
Xss
Dojo #18# Web Application Firewall bypass - DOJO #18 (Until 31/10/2022) ## HINT It's good to have an understanding how Web application firewall works - [What is a WAF](https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/) ## GOAL ### Find a way to inject JavaScript and make the `system.Running` continue run the program `fsociety00.dat` without getting a health warning! * BRUTE FORCE IS NOT ALLOWED! **The valid solutions for the *Cross site scripting* (XSS) payload should meet all these requirements** * Be able to execute custom Javascript code. * Make the `system.Running` keep running `fsociety00.dat` with `Health: OK` When the challenge is solved it will give a pop-up message on the screen to let you know you solved it! --- ## Story time E-Corp has been hacked. The server detected that an unknown file was running and gave a security warning! Elliot gained access to the server and is working on a solution. He discovered the malicious file "fsociety00.dat" running in the background, keep or delete?
Last Update: 2/26/2024, 10:40 AM
Xss
Dojo #22# DOM XSS Clobbering - Butters Adventure v2 - DOJO #22 (Until 01/04/2023) ~ *DOM clobbering can be very effective against JavaScript!* ;) ## How to submit your solution? 1. Go on https://yeswehack.com/programs/dojo 2. Click on Submit report 3. Login or create your account 4. Submit your report ## Hint What is a Document Object Model (DOM) Clobbering? [**- -learn**](https://portswigger.net/web-security/dom-based/dom-clobbering) [**- -help**](https://portswigger.net/research/dom-clobbering-strikes-back) The write-up for the first *Butters Adventure* (DOJO #20) can be found [here](https://blog.yeswehack.com/dojo/dojo-challenge-20-winners/) ## Rules You must **ONLY** use the following HTML tags `<a>`, `<div>`, `<img>`, `<svg>`, `<input>`, `<button>`. > `BRUTE FORCE IS NOT ALLOWED!` ## Goal The valid solution for this DOM XSS Clobbering **must meet this requirement**: - **Make a valid XSS Clobbering that somehow trigger the `catch(e){...}` code line.** (*You will receive an alert when you have solved the challenge!*) # Story time [DOJO #20](https://dojo-yeswehack.com/practice/ca271cf752e3)... Cartman and Butters almost managed to escape from the virtual reality, but they got stuck and couldn't delete the system that kept them trapped in the virtual reality. The time is running out... Don't let Butters get grounded! \~ *Oh double hamburgers! / Butters*
Last Update: 2/26/2024, 10:39 AM
Xss
Dojo #23# 5Ways2XSS - DOJO #23 (Until 11/05/2023) ## Hint Focus on one XSS section at a time to avoid headaches! ;) *Also...* forward slashes (`/`) are your best friend, who even needs spaces these days...? [**- -Help**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) ## Rules **(README)** > BRUTE FORCE IS NOT ALLOWED! A valid solution must fulfil all these requirements: **Input rules for each section:** - [ ] (1) - Classic XSS by using HTML tags - [ ] (2) - Preform an XSS by staying `inside the original <script> tags` - [ ] (3) - XSS inside the 'src' value `Don't break out of the quotes` - [ ] (4) - XSS inside the '<XSS>' tag `Don't create a new HTML tag or break the original one` - [ ] (5) - Execute a [DOM XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based) by staying **inside the input value** `Don't break out of the quotes` ## GOAL **Following the rules** and write a single XSS payload that executes on all five different inputs (**$xss**) ## Tips The [Browser console](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Tools_and_setup/What_are_browser_developer_tools) will be useful, especially the console tab. Use it to track your progress! Use the JavaScript function `console.log()` instead of `alert()` and log the input section number you are testing. **Example:** > \$xss section (1) -> console.log(1) > \$xss section (2) -> console.log(2) etc... --- ## Story time No story this time, it's time for you to create an **amazing XSS payload!**
Last Update: 2/26/2024, 10:39 AM
Xss
Dojo #24# Cipher - DOJO #24 (Until 17/06/2023) **How to submit your solution?** 1) Visit the DOJO program at [https://yeswehack.com/programs/dojo](https://yeswehack.com/programs/dojo) 2) Click on *Submit report* 3) Login or create your account 4) Submit your report ## Hint ~ *"The allowed list looks interesting!"* [- -Help](https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_multiplicative_cipher.htm) ## Rules BRUTE FORCE IS NOT ALLOWED! **A valid solution must fulfill all these requirements:** - [ ] **Be able to understand the JavaScript code** - [ ] **Show how you were able to decode the cipher (*example: share a script that you have written*)** - [ ] **Include the decoded cipher in the report** ## GOAL Decode the [cipher](https://en.wikipedia.org/wiki/Cipher) by analyze the JavaScript code and understand how it encrypts its input! **Cipher to decode :** `x1VXnQiR1hTPX1lR98WXhYkU51EJX1VOxUVXdN2cJdDb` ### Tips The cipher has the format: `FLAG{...}`
Last Update: 2/26/2024, 10:39 AM
Xss
Dojo #25# RootCSS - DOJO #25 (Until 22/07/2023) ### How to submit your solution? 1. Visit the DOJO program at https://yeswehack.com/programs/dojo 2. Click on Submit report 3. Login or create your account 4. Submit your report --- ## Desciption Don't underestimate the power of CSS. It may seem to be very limited, but CSS also offers a lot of functionality because it can interact with the [**D**ocument **O**bject **M**odel](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction) (DOM). A CSS injection can therefore perform various attacks such as reading values in HTML attributes, reading keystrokes in user input sections or preforming a request to the attacker's server by using functions such as **[url()](https://developer.mozilla.org/en-US/docs/Web/CSS/url)**. ## Hint ~ *CSS is very important!* [**- -Help**](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) [**- -CSS**](https://developer.mozilla.org/en-US/docs/Learn/CSS/First_steps/How_CSS_works) ## GOAL > `BRUTE FORCE IS NOT ALLOWED!` ### The valid solution for this challenge must meet these requirements: 1. Use CSS code to manipulate the page to execute an **[Cross Site Scripting](https://owasp.org/www-community/attacks/xss/)** (XSS) that you created. 2. The report should include your CSS code and also proof that the CSS code made it possible to perform an XSS.
Last Update: 2/26/2024, 10:38 AM
Xss
Dojo #27# WhazzUP - DOJO #27 (Until 07/10/2023) **How to submit your report** 1. Visit the DOJO program at https://yeswehack.com/programs/dojo 2. Click on Submit report 3. Login or create an account 4. Submit your report ## Win The Swag **Be Aware** : This DOJO challenge must be active (*see end date in the title*) The three best reports with a valid solution will win a swag pack. This is based on the following: - Report quality - That the solution is valid - The submitted report contains all the necessary requirements (*see section: **GOAL***) --- # Description You used your full name for your newly created account and the developer of the website welcomes you by making your full name more noticeable to you. Nothing can go wrong with that! *Forget what I said, it's written in JavaScript.* ## Hint ~ *Injection vulnerabilities that benefit from a normalization are clearly the best ones!* [**- - help**](#CouldThereBeMore:'\u017F'.toUpperCase()) [**- - emergency-hint**](#WhenIsTheLengthDefined?) ## GOAL > BRUTE FORCE IS NOT ALLOWED! ### The valid solutions for the challenge must meet these requirements: - Exploit the [Cross Site Scripting](https://owasp.org/www-community/attacks/xss/) (XSS) vulnerability - Include your XSS payload and a proof of concept of your solution in the report
Last Update: 2/26/2024, 10:38 AM
Xss
Dojo #29# SPECIAL #YWHAdventCalendar DOJO CHALLENGE! ## SantaLock - Dojo #29 (Until 01/01/2024) **How to submit your report** 1. Visit the Dojo program at [https://yeswehack.com/programs/dojo](https://yeswehack.com/programs/dojo) 2. Click on **submit report** 3. Login or create your account 4. Submit your report --- ## Description It's Christmas, and in a whirlwind of festive activity, Santa has misplaced the key to the digital safe containing the Christmas presents! Can you pick the lock and extract the flag in time to save Christmas? ## Hint ~ _If only there was a website with a database that has already done the hard work for you..._ [**- - help**](https://en.wikipedia.org/wiki/XOR_cipher) [**- - what-is-md5**](https://en.wikipedia.org/wiki/MD5) [**- - emergency-help**](#WhatIfTheFunctionIsATwo-In-One) ## GOAL **Note** : The flag is in the format `FLAG{...}`. > BRUTE FORCE IS NOT ALLOWED! (*Applies only to the Dojo challenge page itself*) ### A valid solution for the challenge must meet these requirements: - Demonstrate how you found/cracked the MD5 hash key ($KEY value) - Your report **MUST** include a proof of concept (PoC) on how you where able to get the flag - The report **MUST** include the flag itself --- ![](https://media1.giphy.com/media/xT5LMCbUFjKimj9zIA/giphy.gif)
Last Update: 2/26/2024, 10:38 AM
Xss
Dojo #20# DOM XSS - Butters Adventure - DOJO #20 (Until 05/01/2023) ## How to submit your solution? 1. Go on [**yeswehack.com/programs/dojo**](https://yeswehack.com/programs/dojo) 2. Click on **Submit report** 3. Login or create your account 4. Submit your report ## Hint ~ *Do you read our [posts](https://blog.yeswehack.com/category/yeswerhackers/)?* ;) You can always use the **development console** in your browser to see logs/info! (*Firefox key:* `F12`) What is a **D**ocument **O**bject **M**odel ([DOM](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction)) and [DOM XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based)? [**- -Learn**](https://dojo-yeswehack.com/XSS/Theory) [**- -SuperHint**](https://www.ascii-code.com/) (*Last hint*) ## GOAL > BRUTE FORCE IS NOT ALLOWED! The valid solutions for the **DOM XSS** must meet this requirement: - Execute a `DOM XSS` from `$cmd` - Be logged in as `cartman` - Change Butters connection to `offline` --- ## Story time Butters is stuck in the world of VR and there's only one way out. He has to go offline! Cartman have a registered account and tries to get Butters back, but he can't escape the filter. Butters must get out before he gets grounded!! *Oh hamburgers...*
Last Update: 2/26/2024, 10:38 AM
Velocity
Dojo #28# Temple - DOJO #28 (Until 13/11/2023) **How to submit your report** 1. Visit the DOJO program at https://yeswehack.com/programs/dojo 2. Click on **submit report** 3. Login or create your account 4. Submit your report --- ## Description This time we try to keep the challenge more beginner friendly! Let's be creative, bypass some filters and get a [remote code execution (RCE)](https://www.cloudflare.com/learning/security/what-is-remote-code-execution/), shall we? ## Hint ~ *A real hacker knows how to use Google properly* [**- - help**](https://velocity.apache.org/engine/1.7/user-guide.html) [**- -help-Regex**](https://regexr.com/) ## GOAL > BRUTE FORCE IS NOT ALLOWED! > Please, do not execute unnecessary system commands on the test system. ### A valid solution for the challenge must meet these requirements: - Preform a successful [Server-Side Template Injection (SSTI)](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection) that can execute system commands on the system. - Your report **MUST** include a proof of concept (POC) showing that your payload can execute a system command. Some good commands to use as a POC are the following: `id`, `whoami`, `ls /`, `uname -a`, `groups` ~ *It is always useful to include an image of the result your payload provided* ![](https://media0.giphy.com/media/ZZUGIzpI5aFpszJz4s/giphy.gif)
Last Update: 1/18/2024, 2:29 PM
MongoDB
Dojo #11# YOU'RE NOT ADMIN - DOJO #11 ## Chall _You have just discovered a tool to read user information. Unfortunately for you, several filters have been set up to prevent the extraction of admin information. Can you find a way to disclose the password of the user "admin"?_ ## GOAL - Retrieve the password of the account name called "admin" **BRUTE FORCE IS NOT ALLOWED**
Last Update: 1/17/2024, 3:53 PM
Node.js
Dojo #10# MIRRØRRIM - DOJO #10 ## Chall _A palindrome is a word, number, phrase, or other sequence of characters which reads the same backward as forward, such as madam or racecar. There are also numeric palindromes, including date/time stamps using short digits 11/11/11 11:11 and long digits 02/02/2020. Sentence-length palindromes ignore capitalization, punctuation, and word boundaries._ ## Goal Find a way to get the FLAG **BRUTEFORCE IS NOT ALLOWED**
Last Update: 1/17/2024, 3:53 PM
Node.js
Dojo #9# YOU C~~S~~HALL NOT PASS (THE COMEBACK) - DOJO #9 ## Chall _EvilCorp2.0 has received your security reports and has therefore decided to revise its script by adding new SSRF protections. Would you be able to recover the secret?_ If you find a way to get (again) the secret using this script, let us know! ## Goal Find a way to bypass all security mechanisms to retrieve the `/secret`. **BRUTEFORCE IS NOT ALLOWED**
Last Update: 1/17/2024, 3:53 PM
Node.js
Dojo #8# YOU C~~S~~HALL NOT PASS - DOJO #8 ## Chall _EvilCorp2.0 has a script to check the current state of an internal service. They want to make sure that this script, with all its security, cannot be used to retrieve the **secret** path.._ If you find a way to get the secret using this script, let us know! ## Goal Find a way to bypass all security mechanisms to retrieve the `/secret`. **BRUTEFORCE IS NOT ALLOWED**
Last Update: 1/17/2024, 3:53 PM
Xpath
Dojo #4### Obfuscated code The admin love to use obfuscated queries, but you want to prove him that security through obscurity is not failproof. We know that a valid serial number is in the form `0000-0000-0000-0000` There is 7 valid serial for this XPATH query **BRUTEFORCE IS NOT ALLOWED** ### Goal - Find the 7 `$serial` that output `Access granted!` - Submit your writeup report to the program, including details on how you reversed the code.
Last Update: 1/17/2024, 3:52 PM
Sqlite3
Dojo #2## Challenge ### The admin of this website made a GDPR form, but he doesn't reply to any complains. Show the **admin** how you can leak information about users by stealing his **username** and **password**. ## Goal Recover the admin information in a single query, the output **must** look like this text: `admin:<email>:<password>` Submit your working $mail payload string in your report on the [DOJO PROGRAM](https://yeswehack.com/programs/dojo).
Last Update: 1/17/2024, 3:29 PM
Sqlite3
Dojo #1Can you recover the admin password ?
Last Update: 1/17/2024, 3:28 PM
Sqlite3
No LIMIT### Limiting the query This query should give us the any password, but the limit 0 prevent it. Can you bypass it ? #### Goal: recover the admin password
Last Update: 1/17/2024, 2:59 PM
Sqlite3
Filter bypass### Some filter away from SQL injection Here your input is heavily transformed before being injected into the query. While this make the exploitation more difficult, this shouldn't stop you. #### Goal: recover the admin password
Last Update: 1/17/2024, 2:59 PM
Sqlite3
Exploration### Spelunking the internals Now that you are able to recover any data, try to explore the database. There is an hidden table containing a flag, can you find where it is ? #### Goal: recover the flag from the hidden table.
Last Update: 1/17/2024, 2:59 PM
Sqlite3
Injection in INSERT### Inserting payloads Sometimes the injection can occur in an INSERT statement. #### Goal: recover the admin password.
Last Update: 1/17/2024, 2:59 PM
Sqlite3
Simple Login Bypass### The most Basic SQL injection ever Try to find a way to login as the admin. #### Goal: `is_valid_password = 1`
Last Update: 1/17/2024, 2:59 PM
Sqlite3
First exfiltration### Time to recover some data Bypassing a password check is nice, but being able to read arbitrary data is better. Try to get the admin password. #### Goal: recover the admin password
Last Update: 1/17/2024, 2:59 PM
Freemarker
Command execution with constraintsTaking example on the training payload [Command execution](/challenge/play/c2f1614b-514e-4b45-87a8-d23adf223bb1), you have to find a way to execute the same payload but without `.`, `)` and `( `. #### Goal: Execute the `id` shell command
Last Update: 11/9/2023, 10:28 AM
Freemarker
Playing with built-in variablesTry to find the used version of Freemarker. #### Goal: Leak Freemarker version
Last Update: 11/9/2023, 10:27 AM
Freemarker
Command execution Thanks to some features of Freemarker, it is possible to execute shell command. #### Goal: Execute the `id` shell command
Last Update: 11/9/2023, 10:27 AM
Freemarker
Read a file If you have done the [Command execution](/SSTI-Freemarker/Training/Command-execution) challenge, you know how to execute shell commands. Use this knowledge to find and read the secret file that hides in the directories. #### Goal: Read secret file.
Last Update: 11/9/2023, 10:26 AM
Freemarker
Find the secret variableA secret variable has been introduced in the template, it can be used anywhere in the template. #### Goal: Print secret variable
Last Update: 11/9/2023, 10:23 AM
Xpath
Merging nodes### Full exfiltration XPATH also allow you to merge multiples sets of nodes. Use this feature to get full database. #### Goal: Get the full database
Last Update: 11/8/2023, 12:33 PM
Xpath
Attributes### XPATH is not only texts With XPATH you can also query attributes. In this XML database the role on an user if store as an attribute on the `user` node. Try to find the user with `role="ADMIN"` and get its password. #### Goal: find the admin and leak its password
Last Update: 11/8/2023, 12:29 PM
Xpath
Going up### Time to read some data Here we have a query that allow to fetch any information about the address of an user. Try with username = admin and node set to one of [city, street, number, country, postalcode] #### Goal: leak the admin password
Last Update: 11/8/2023, 12:15 PM
Xpath
Simple Login BypassTry to find a way to login as the admin. #### Goal: the query must return `true`
Last Update: 11/8/2023, 12:09 PM
Xpath
Schema recovery### select * from information_schema.xml Can you exfiltrate the full XML structure with only a blind Xpath injection ? #### Goal: find the hidden node starting with `FLAG-` The format is `FLAG-\d+`
Last Update: 11/8/2023, 12:08 PM
MongoDB
Simple injection### The most Basic Mongo injection ever Try to find a way to login as admin.
Last Update: 11/7/2023, 2:54 PM
MongoDB
First Exfiltration### Retrieving data Now that you have an oracle on the database, try to recover the admin password. #### Goal: find the admin password The flag use the following format: `FLAG\{\d+\}`
Last Update: 11/7/2023, 2:51 PM
MongoDB
Injection in insert### Modifying the collection This time the injection point is in an insert statement, Try to inject an extra filed in you maillinglist entry #### Goal: Insert an entry with `{"HACK": "YesWeHack"}`
Last Update: 11/7/2023, 2:40 PM
Xss
Simple XSS### #noFilter Try to inject some JavaScript in this simple webpage. Goal: `alert(name)`
Last Update: 11/7/2023, 2:10 PM
Xss
InnerHTML### No script allowed `<script></script>` script tags do not work when added via innerHTML, can you find another way to trigger an XSS ? Goal: `alert(flag)`
Last Update: 11/7/2023, 2:09 PM
Xss
JS urls### A link to the flag Can you spot the XSS here ? goal: `alert(flag)` when the victim click the link
Last Update: 11/7/2023, 2:08 PM
Xss
HTML parser### JS context Does this protection is enough to protect you against XSS ? ##### spoiler: it's not Goal: `alert(flag)`
Last Update: 11/7/2023, 2:07 PM
Xss
Eventless## Another way This time both "script" and JavaScript events are blacklisted. But there is still another way to trigger JS execution. Goal: `alert(flag)`
Last Update: 11/7/2023, 2:07 PM
Xss
Prototype Pollution## Proto mergin This is a classic prototype polution example, can you exploit it ? Goal: `alert(flag)`
Last Update: 11/7/2023, 2:04 PM