Challenge:
High Source
Category:
Web
Accessing the web page and immediately looking at the source we get trolled. Nothing here... But what about in the login.js source?
Oh hey, a password! Using this to login we then get our flag!
Challenge:
Cookie Duty
Category:
Web
The first page we land on gives a good hint as to what this will entail with cookies... We aren't admin, but can we become an admin by modifying the cookie? "not_admin" is set to a 1 flag, so if we modify this to a 0 we should be able to become admin.
Changing the cookie and making a GET request with Burp Suite, we trick it to thinking we are admin and get our flag!
Challenge:
Git Gud
Category:
Web
Based on the challenge description we know that the site is using Version Control Systems and the title also gives it away that we are looking for something git-related. After researching some stuff about this, it's possible to access a directory at /.git which gives all of the history info, objects, what have you.
To make this a bit easier, I just downloaded everything and used comannd line to traverse through the directories. In the master file you can see an update entry for adding a flag, and using the data on the left we can cat the info until we are able to see the past entry and get our flag!
Challenge:
Cookie Harrelson
Category:
Web
More cookies! Inspecting the response/request headers upon loading, we can see that there is a cookie being passed.
This coded in base64, and decoding it we get:
cat index.txt
Neat... so what if we just encode something like 'cat flag.txt' in base64 and swap it in? Well, this is what I did, but it wasn't as easy as that. Unfortunately when subbing in something different, the cookie gets modified and it becomes something like this:
cat index.txt #(new command here)
So we are getting filtered and need to bypass it somehow! After a lot of experimentation/trial and error, the trick here is to get a carriage return. Using Burp to decode the original cookie, modify it, and then re-encode it, we get our new cookie.
Now we can put this in the repeater and make our GET request, which gives us the flag!
Challenge:
iFrame and Shame
Category:
Web
This challenge took a bit of trial and error to solve. I started by checking for input validation in the search box by adding an " and that seemed to break the format a bit, which kind of tipped me off there may be a possibility for code injection.
After trying different things for a while, the following command worked as a test:
"; echo $(ls) #
Based on this, we just change our command to give us our flag:
"; echo $(cat flag) #
Sunday, November 26, 2017
Subscribe to:
Post Comments (Atom)
Powered by Blogger.
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.