Websec.fr Level 01

December 10, 2025 - 1 min read

A Websec.fr level 1 level01 - 1 point- 2564 solves alt

We have a source code of level1, i show only a php code because the vulnerability is only in php code.

 <?php
session_start ();

ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL);

include 'anti_csrf.php';

init_token ();

class LevelOne {
    public function doQuery($injection) {
        $pdo = new SQLite3('database.db', SQLITE3_OPEN_READONLY);
        
        $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';
        $getUsers = $pdo->query($query);
        $users = $getUsers->fetchArray(SQLITE3_ASSOC);

        if ($users) {
            return $users;
        }

        return false;
    }
}

if (isset ($_POST['submit']) && isset ($_POST['user_id'])) {
    check_and_refresh_token();

    $lo = new LevelOne ();
    $userDetails = $lo->doQuery ($_POST['user_id']);
}
?>

<!DOCTYPE html>
<html>
........
</html>

The problem here is this line $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1'; it’s a sqli .

Websec.fr Level 02

December 10, 2025 - 1 min read

The source code of level2 is here

alt text

<?php
ini_set('display_errors', 'on');

class LevelTwo {
    public function doQuery($injection) {
        $pdo = new SQLite3('leveltwo.db', SQLITE3_OPEN_READONLY);

        $searchWords = implode (['union', 'order', 'select', 'from', 'group', 'by'], '|');
        $injection = preg_replace ('/' . $searchWords . '/i', '', $injection);

        $query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';
        $getUsers = $pdo->query ($query);
        $users = $getUsers->fetchArray (SQLITE3_ASSOC);

        if ($users) {
            return $users;
        }

        return false;
    }
}

if (isset ($_POST['submit']) && isset ($_POST['user_id'])) {
    $lt = new LevelTwo ();
    $userDetails = $lt->doQuery ($_POST['user_id']);
}
?>

<!DOCTYPE html>
<html>
....
</html>

We can see that these to line was problematic, all words in this dictionnary are removed from payload.

Websec.fr Level 04

December 10, 2025 - 3 mins read

alt text For LevelFour challenge we have two sources here and here

Only php code was displayed here because html is not important.

source1.php

<?php
include 'connect.php';

$sql = new SQL();
$sql->connect();
$sql->query = 'SELECT username FROM users WHERE id=';


if (isset ($_COOKIE['leet_hax0r'])) {
    $sess_data = unserialize (base64
    _decode ($_COOKIE['leet_hax0r']));
    try {
        if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) {
            die('CANT HACK US!!!');
        }
    } catch(Exception $e) {
        echo $e;
    }
} else {
    $cookie = base64_encode (serialize (array ( 'ip' => $_SERVER['REMOTE_ADDR']))) ;
    setcookie ('leet_hax0r', $cookie, time () + (86400 * 30));
}

if (isset ($_REQUEST['id']) && is_numeric ($_REQUEST['id'])) {
    try {
        $sql->query .= $_REQUEST['id'];
    } catch(Exception $e) {
        echo ' Invalid query';
    }
}
?>

source2.php

Websec.fr Level 08

December 10, 2025 - 1 min read

The code source of level8 is here.

<?php
$uploadedFile = sprintf('%1$s/%2$s', '/uploads', sha1($_FILES['fileToUpload']['name']) . '.gif');
    if (file_exists ($uploadedFile)) { unlink ($uploadedFile); }
        if ($_FILES['fileToUpload']['size'] <= 50000) {
            if (getimagesize ($_FILES['fileToUpload']['tmp_name']) !== false) {
                if (exif_imagetype($_FILES['fileToUpload']['tmp_name']) === IMAGETYPE_GIF) {
                    move_uploaded_file ($_FILES['fileToUpload']['tmp_name'], $uploadedFile);
                    echo '<p class="lead">Dump of <a href="/level08' . $uploadedFile . '">'. htmlentities($_FILES['fileToUpload']['name']) . '</a>:</p>';
                    echo '<pre>';
                    include_once($uploadedFile);
                    echo '</pre>';
                    unlink($uploadedFile);
        } else { echo '<p class="text-danger">The file is not a GIF</p>'; }
    } else { echo '<p class="text-danger">The file is not an image</p>'; }
} else { echo '<p class="text-danger">The file is too big</p>'; }
?>

With this code we have 2 problem and that it’s important to bypass are:

Websec.fr Level 17

December 10, 2025 - 2 mins read

websec

alt text

The code of level17 is here.

 <?php
include "flag.php";

function sleep_rand() { /* I wish php5 had random_int() */
        $range = 100000;
        $bytes = (int) (log($range, 2) / 8) + 1;
        do {  /* Side effect: more random cpu cycles wasted ;) */
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
        } while ($rnd >= $range);
        usleep($rnd);
}
?>
<!DOCTYPE html>
<html>
.......
                        <?php
                        if (isset ($_POST['flag'])):
                            sleep_rand(); /* This makes timing-attack impractical. */
                        ?>
            <br>
                        <div class="container">
                            <div class="row">
                                <?php
                                if (! strcasecmp ($_POST['flag'], $flag))
                                    echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>';   
                                else
                                    echo '<div class="alert alert-danger">Invalid flag, sorry.</div>';
                                ?>
                            </div>
                        </div>
                        <?php endif ?>
........
</html>

After reading the code we can directly avoid a first part of php code because it’s impossible to break this function.
But in second part the only things who can conduct to a vulnerability is strcasecmp, so this function check if the string given in field is same that a flag.
Reading strcasecmp php documentation we can read that :

From Day 0 to 0day Chapter 3

September 10, 2025 - 9 mins read

book-review

alt

AUTOMATED VARIANT ANALYSIS

Introduction

Now that we know what is source and sink analysis, we will learn how to automate code analysis (Know that automated the process can depends until your code base).
We shall used two popular open source static code analysis tools CodeQL and Semgrep.

Abstract Syntax Trees

Modern static code analysis tools for better and deeply comprehension of code base need to understanding of multiple aspect of the code / programming language used like difference between function and a variable, usage of statement, class inheritance for object-oriented languages, the exact placement of parenthesis or semicolons and so on. AST is a data-structure. It’s a tree that models the syntax of a programming language.
AST serve to represent a syntactic structure of a proram, it’s used in a many anothers things, by example a compilers use AST like Clang for C/C++, Babel for Javascript, ast built-in module for Python. In talking about ast module we can use it to watch what it seem like.

Whoami

August 8, 2025 - 1 min read

personal

I’m Ted “Tedsig42” Regis Kouhouenou, a young Cybersecurity Enthusiast, CTF player, music lover, drawer.
I spend any of my free time on Web Security Reseach .
I also make any contributions on Open Source project like Exegol, The Hacker Recipes and Payload all the things.
I play CTF and collaborate with @TheBugsReapers Vulnerability Researcher / Bug Hunter team .
I strive to provide as much information as i can about what i have learned on my blog tedsig42.re, which encompasses CTF writeups, research projects, and more.

From Day 0 to 0day Chapter 2

Tedsig42 - August 6, 2025 - 23 mins read

book-review

alt

MAPPING CODE TO ATTACK SURFACE

Once we know where we are, then the world becomes as narrow as a map.
When we don’t know, the world feels unlimited. Liu Cixin, The Dark Forest

Introduction

Attack surface (the potential entry points to exploit a vulnerability) going often with the growing of complexity of software.
The vulnerabilities to be introduced, as developers’ capacity to properly secure these feature is limited and mistakes are inevitable when dealing with millions of lines of code.
Minor issues can be chained together into far more serious vulnerabilities.

From Day 0 to 0day Chapter 1

Tedsig42 - August 3, 2025 - 20 mins read

book-review

alt

Introduction

Taint Analysis

Life is not like water. Things in life don’t necessarily flow over the shortest possible route Haruki Murakami - 1Q84

Taint analysis (or source and sink analysis ) is the analysis of the flow of input through a program from sources to sinks .

It relies on a simple idea: a large number of vulnerabilities occur because attacker controlled input (the source) flows to a dangerous function (the sink). If the input modifies other variables along the way, these variables become “tainted” and are included in the analysis.

From Day 0 to 0day Chapter 0

Tedsig42 - July 15, 2025 - 10 mins read

book-review

alt Hi everyone this is the first serie of my notes and my recap of the awesome/incredible book From Day Zerp to Zero Day written by Eugene “Spaceraccoon” Lim a security researcher and white-hat hacker.

He learned rapidly because his first training was in how to learn. - Frank Herbert, Dune.

With the number of discovered and exploited zero days constantly growing, vulnerability research, or the process of analyzing systems for new vulnerabilities, has zero to zero assumed a critical role in cybersecurity.