After Width: | Height: | Size: 16 KiB |
@ -0,0 +1,28 @@ |
|||||
|
## Cascade |
||||
|
The main idea finding the flag is just viewing the page source. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I visited the URL: http://chall.csivit.com:30203, this web page was shown: |
||||
|
|
||||
|
<img src="Web1.png"> |
||||
|
|
||||
|
|
||||
|
#### Step-2: |
||||
|
|
||||
|
I tried all `/robots.txt`, `/flag.txt` or any access to tiny server by `//`. Also by visiting both given links, didn't give any flags. |
||||
|
|
||||
|
#### Step-3: |
||||
|
Now, I searched for page source, and got this web page. |
||||
|
|
||||
|
<img src="Web2.png"> |
||||
|
|
||||
|
I explored for `/static/style.css`. |
||||
|
|
||||
|
#### Step-4: |
||||
|
<img src="Flag.png"> |
||||
|
|
||||
|
Voila! I got the flag. |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{w3lc0me_t0_csictf}` |
After Width: | Height: | Size: 48 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 5.5 KiB |
@ -0,0 +1,28 @@ |
|||||
|
## Mr Rami |
||||
|
The main idea finding the flag is accessing dormant sub domains of the site. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I visited the URL: [http://chall.csivit.com:30231](http://chall.csivit.com:30231), this web page was shown: |
||||
|
|
||||
|
<img src="Web1.png"> |
||||
|
|
||||
|
|
||||
|
#### Step-2: |
||||
|
|
||||
|
I tried http://chall.csivit.com:30231/robots.txt and I got this: |
||||
|
|
||||
|
<img src="Robots.png"> |
||||
|
|
||||
|
#### Step-3: |
||||
|
There we got that `Disallow: /fade/to/black`, so I explored that URL: |
||||
|
http://chall.csivit.com:30231/fade/to/black |
||||
|
|
||||
|
|
||||
|
#### Step-4: |
||||
|
Voila! I got the flag there. |
||||
|
|
||||
|
<img src="Flag.png"> |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}` |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 226 KiB |
@ -0,0 +1,29 @@ |
|||||
|
## Oreo |
||||
|
The main idea finding the flag is just tweaking the cookies. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I visited the URL: http://chall.csivit.com:30243/, this web page was shown: |
||||
|
|
||||
|
<img src="Web1.png"> |
||||
|
|
||||
|
|
||||
|
#### Step-2: |
||||
|
|
||||
|
I tried inspecting the element, but it wasn't helpful. So I checked the cookie and got a cookie `flavour` with value `c3RyYXdiZXJyeQ%3D%3D`. |
||||
|
|
||||
|
#### Step-3: |
||||
|
It was simple Base64 and I decoded it to get `strawberry`. |
||||
|
|
||||
|
<img src="base64_decode.png"> |
||||
|
|
||||
|
#### Step-4: |
||||
|
So I got to change the flavor to chocolate as in description. So I encoded `chocolate` accordingly, to get: |
||||
|
|
||||
|
<img src="base64_encode.png"> |
||||
|
|
||||
|
#### Step-5: |
||||
|
I loaded that base64 encoding `Y2hvY29sYXRl` as a cookie and refreshed the page to get the flag. |
||||
|
|
||||
|
#### Step-6: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{1ick_twi5t_dunk}` |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 41 KiB |
After Width: | Height: | Size: 48 KiB |
@ -0,0 +1,10 @@ |
|||||
|
## Secure Portal |
||||
|
The main idea finding the flag is decoding the script given. |
||||
|
|
||||
|
#### Step-1: |
||||
|
I couldn't understand on how to proceed, so here is the writeup I followed. |
||||
|
https://github.com/skyf0l/CTF/blob/master/CSICTF_2020/Web.md#secure-portal |
||||
|
|
||||
|
|
||||
|
#### Step-2: |
||||
|
`csictf{l3t_m3_c0nfus3_y0u}` |
After Width: | Height: | Size: 6.0 KiB |
@ -0,0 +1,55 @@ |
|||||
|
## Warm Up |
||||
|
The main idea finding the flag is exploiting PHP type juggling. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I visited the URL: http://chall.csivit.com:30272/, I was greeted with below code: |
||||
|
|
||||
|
```php |
||||
|
<?php |
||||
|
|
||||
|
if (isset($_GET['hash'])) { |
||||
|
if ($_GET['hash'] === "10932435112") { |
||||
|
die('Not so easy mate.'); |
||||
|
} |
||||
|
|
||||
|
$hash = sha1($_GET['hash']); |
||||
|
$target = sha1(10932435112); |
||||
|
if($hash == $target) { |
||||
|
include('flag.php'); |
||||
|
print $flag; |
||||
|
} else { |
||||
|
print "csictf{loser}"; |
||||
|
} |
||||
|
} else { |
||||
|
show_source(__FILE__); |
||||
|
} |
||||
|
|
||||
|
?> |
||||
|
``` |
||||
|
|
||||
|
|
||||
|
#### Step-2: |
||||
|
|
||||
|
Sha1 of `10932435112` is `0e07766915004133176347055865026311692244` |
||||
|
|
||||
|
The comparison `if($hash == $target)` is vulnerable because it is not a strict comparison with `===`. |
||||
|
|
||||
|
#### Step-3: |
||||
|
So a bit more deep search of `sha1(10932435112)` online gave me links to [Magic Hashes](https://git.linuxtrack.net/Azgarech/PayloadsAllTheThings/blob/master/PHP%20juggling%20type/README.md) |
||||
|
|
||||
|
#### Step-4: |
||||
|
So, I tried the URL as any of the below. All have to work because all de-reference to same hash. |
||||
|
- http://chall.csivit.com:30272/?hash=aaK1STfY |
||||
|
- http://chall.csivit.com:30272/?hash=aaroZmOk |
||||
|
- http://chall.csivit.com:30272/?hash=aaO8zKZF |
||||
|
- http://chall.csivit.com:30272/?hash=aa3OFF9m |
||||
|
|
||||
|
Any other hashes like MD5, will give false flag of `csictf{loser}`. |
||||
|
|
||||
|
<img src="Flag.png"> |
||||
|
|
||||
|
Voila! I got the flag. |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{typ3_juggl1ng_1n_php}` |