Immutable PageDiscussionInfoAttachments



  1. Perhaps, what we need to do is to access to /admin/
  2. The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
  3. *.jsp was forwarded to JRun server.
  4. I found a vulnerability information of JRun
  5.;.jsp was 500 Internal Server Error. It is interesting. by Apache?

  6. I tried to escape the URL for Apache; was /a and 404 Error by JRun. It is very interesting.

  7. Can I get /.htaccess or /admin/.htaccess?, Answer is no. These are blocked by Apache. We need more tricks.

  8. Then, I found that JRun recognized backslash as directory separator (for Windows?). was handled as /a by JRun.

  9. Finally, I got the /admin/.htaccess via and /admin/.htpasswd via

    AuthName "Restricted Area" 
    AuthType Basic 
    AuthUserFile /usr/local/apache2/htdocs/admin/.htpasswd 
    AuthGroupFile /dev/null 
    require valid-user
  10. Use John. The password was ktw2z.

    % john htpasswd
    ktw2z            (hitc0n_1een0de)
    guesses: 1  time: 0:00:01:13 DONE (Sat Aug 16 20:58:25 2014)  c/s: 5319K  trying: ktkcK - kk4iT
  11. There was the flag on

    The flag is HITCON{u_d0nt_f0rg3t_d0uble_3nc0ding!}

CTF/Writeup/HITCON2014/LEENODE (last edited 2014-08-19 03:06:33 by ytoku)