After Width: | Height: | Size: 16 KiB |
@ -0,0 +1,28 @@ |
|||
## Cascade |
|||
The main idea finding the flag is just viewing the page source. |
|||
|
|||
#### Step-1: |
|||
After I visited the URL: http://chall.csivit.com:30203, this web page was shown: |
|||
|
|||
<img src="Web1.png"> |
|||
|
|||
|
|||
#### Step-2: |
|||
|
|||
I tried all `/robots.txt`, `/flag.txt` or any access to tiny server by `//`. Also by visiting both given links, didn't give any flags. |
|||
|
|||
#### Step-3: |
|||
Now, I searched for page source, and got this web page. |
|||
|
|||
<img src="Web2.png"> |
|||
|
|||
I explored for `/static/style.css`. |
|||
|
|||
#### Step-4: |
|||
<img src="Flag.png"> |
|||
|
|||
Voila! I got the flag. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{w3lc0me_t0_csictf}` |
After Width: | Height: | Size: 48 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 5.5 KiB |
@ -0,0 +1,28 @@ |
|||
## Mr Rami |
|||
The main idea finding the flag is accessing dormant sub domains of the site. |
|||
|
|||
#### Step-1: |
|||
After I visited the URL: [http://chall.csivit.com:30231](http://chall.csivit.com:30231), this web page was shown: |
|||
|
|||
<img src="Web1.png"> |
|||
|
|||
|
|||
#### Step-2: |
|||
|
|||
I tried http://chall.csivit.com:30231/robots.txt and I got this: |
|||
|
|||
<img src="Robots.png"> |
|||
|
|||
#### Step-3: |
|||
There we got that `Disallow: /fade/to/black`, so I explored that URL: |
|||
http://chall.csivit.com:30231/fade/to/black |
|||
|
|||
|
|||
#### Step-4: |
|||
Voila! I got the flag there. |
|||
|
|||
<img src="Flag.png"> |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}` |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 226 KiB |
@ -0,0 +1,29 @@ |
|||
## Oreo |
|||
The main idea finding the flag is just tweaking the cookies. |
|||
|
|||
#### Step-1: |
|||
After I visited the URL: http://chall.csivit.com:30243/, this web page was shown: |
|||
|
|||
<img src="Web1.png"> |
|||
|
|||
|
|||
#### Step-2: |
|||
|
|||
I tried inspecting the element, but it wasn't helpful. So I checked the cookie and got a cookie `flavour` with value `c3RyYXdiZXJyeQ%3D%3D`. |
|||
|
|||
#### Step-3: |
|||
It was simple Base64 and I decoded it to get `strawberry`. |
|||
|
|||
<img src="base64_decode.png"> |
|||
|
|||
#### Step-4: |
|||
So I got to change the flavor to chocolate as in description. So I encoded `chocolate` accordingly, to get: |
|||
|
|||
<img src="base64_encode.png"> |
|||
|
|||
#### Step-5: |
|||
I loaded that base64 encoding `Y2hvY29sYXRl` as a cookie and refreshed the page to get the flag. |
|||
|
|||
#### Step-6: |
|||
Finally the flag becomes: |
|||
`csictf{1ick_twi5t_dunk}` |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 41 KiB |
After Width: | Height: | Size: 48 KiB |
@ -0,0 +1,10 @@ |
|||
## Secure Portal |
|||
The main idea finding the flag is decoding the script given. |
|||
|
|||
#### Step-1: |
|||
I couldn't understand on how to proceed, so here is the writeup I followed. |
|||
https://github.com/skyf0l/CTF/blob/master/CSICTF_2020/Web.md#secure-portal |
|||
|
|||
|
|||
#### Step-2: |
|||
`csictf{l3t_m3_c0nfus3_y0u}` |
After Width: | Height: | Size: 6.0 KiB |
@ -0,0 +1,55 @@ |
|||
## Warm Up |
|||
The main idea finding the flag is exploiting PHP type juggling. |
|||
|
|||
#### Step-1: |
|||
After I visited the URL: http://chall.csivit.com:30272/, I was greeted with below code: |
|||
|
|||
```php |
|||
<?php |
|||
|
|||
if (isset($_GET['hash'])) { |
|||
if ($_GET['hash'] === "10932435112") { |
|||
die('Not so easy mate.'); |
|||
} |
|||
|
|||
$hash = sha1($_GET['hash']); |
|||
$target = sha1(10932435112); |
|||
if($hash == $target) { |
|||
include('flag.php'); |
|||
print $flag; |
|||
} else { |
|||
print "csictf{loser}"; |
|||
} |
|||
} else { |
|||
show_source(__FILE__); |
|||
} |
|||
|
|||
?> |
|||
``` |
|||
|
|||
|
|||
#### Step-2: |
|||
|
|||
Sha1 of `10932435112` is `0e07766915004133176347055865026311692244` |
|||
|
|||
The comparison `if($hash == $target)` is vulnerable because it is not a strict comparison with `===`. |
|||
|
|||
#### Step-3: |
|||
So a bit more deep search of `sha1(10932435112)` online gave me links to [Magic Hashes](https://git.linuxtrack.net/Azgarech/PayloadsAllTheThings/blob/master/PHP%20juggling%20type/README.md) |
|||
|
|||
#### Step-4: |
|||
So, I tried the URL as any of the below. All have to work because all de-reference to same hash. |
|||
- http://chall.csivit.com:30272/?hash=aaK1STfY |
|||
- http://chall.csivit.com:30272/?hash=aaroZmOk |
|||
- http://chall.csivit.com:30272/?hash=aaO8zKZF |
|||
- http://chall.csivit.com:30272/?hash=aa3OFF9m |
|||
|
|||
Any other hashes like MD5, will give false flag of `csictf{loser}`. |
|||
|
|||
<img src="Flag.png"> |
|||
|
|||
Voila! I got the flag. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{typ3_juggl1ng_1n_php}` |