Added Web Challenges

This commit is contained in:
rishitsaiya 2020-07-31 18:25:25 +05:30
parent ed3907e13f
commit 1aed7e56bf
15 changed files with 150 additions and 0 deletions

BIN
Web/Cascade/Flag.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

28
Web/Cascade/README.md Normal file
View File

@ -0,0 +1,28 @@
## Cascade
The main idea finding the flag is just viewing the page source.
#### Step-1:
After I visited the URL: http://chall.csivit.com:30203, this web page was shown:
<img src="Web1.png">
#### Step-2:
I tried all `/robots.txt`, `/flag.txt` or any access to tiny server by `//`. Also by visiting both given links, didn't give any flags.
#### Step-3:
Now, I searched for page source, and got this web page.
<img src="Web2.png">
I explored for `/static/style.css`.
#### Step-4:
<img src="Flag.png">
Voila! I got the flag.
#### Step-5:
Finally the flag becomes:
`csictf{w3lc0me_t0_csictf}`

BIN
Web/Cascade/Web1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

BIN
Web/Cascade/Web2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Web/Mr Rami/Flag.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.5 KiB

28
Web/Mr Rami/README.md Normal file
View File

@ -0,0 +1,28 @@
## Mr Rami
The main idea finding the flag is accessing dormant sub domains of the site.
#### Step-1:
After I visited the URL: [http://chall.csivit.com:30231](http://chall.csivit.com:30231), this web page was shown:
<img src="Web1.png">
#### Step-2:
I tried http://chall.csivit.com:30231/robots.txt and I got this:
<img src="Robots.png">
#### Step-3:
There we got that `Disallow: /fade/to/black`, so I explored that URL:
http://chall.csivit.com:30231/fade/to/black
#### Step-4:
Voila! I got the flag there.
<img src="Flag.png">
#### Step-5:
Finally the flag becomes:
`csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}`

BIN
Web/Mr Rami/Robots.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
Web/Mr Rami/Web1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 226 KiB

29
Web/Oreo/README.md Normal file
View File

@ -0,0 +1,29 @@
## Oreo
The main idea finding the flag is just tweaking the cookies.
#### Step-1:
After I visited the URL: http://chall.csivit.com:30243/, this web page was shown:
<img src="Web1.png">
#### Step-2:
I tried inspecting the element, but it wasn't helpful. So I checked the cookie and got a cookie `flavour` with value `c3RyYXdiZXJyeQ%3D%3D`.
#### Step-3:
It was simple Base64 and I decoded it to get `strawberry`.
<img src="base64_decode.png">
#### Step-4:
So I got to change the flavor to chocolate as in description. So I encoded `chocolate` accordingly, to get:
<img src="base64_encode.png">
#### Step-5:
I loaded that base64 encoding `Y2hvY29sYXRl` as a cookie and refreshed the page to get the flag.
#### Step-6:
Finally the flag becomes:
`csictf{1ick_twi5t_dunk}`

BIN
Web/Oreo/Web1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

BIN
Web/Oreo/base64_decode.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 41 KiB

BIN
Web/Oreo/base64_encode.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

View File

@ -0,0 +1,10 @@
## Secure Portal
The main idea finding the flag is decoding the script given.
#### Step-1:
I couldn't understand on how to proceed, so here is the writeup I followed.
https://github.com/skyf0l/CTF/blob/master/CSICTF_2020/Web.md#secure-portal
#### Step-2:
`csictf{l3t_m3_c0nfus3_y0u}`

BIN
Web/Warm Up/Flag.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.0 KiB

55
Web/Warm Up/README.md Normal file
View File

@ -0,0 +1,55 @@
## Warm Up
The main idea finding the flag is exploiting PHP type juggling.
#### Step-1:
After I visited the URL: http://chall.csivit.com:30272/, I was greeted with below code:
```php
<?php
if (isset($_GET['hash'])) {
if ($_GET['hash'] === "10932435112") {
die('Not so easy mate.');
}
$hash = sha1($_GET['hash']);
$target = sha1(10932435112);
if($hash == $target) {
include('flag.php');
print $flag;
} else {
print "csictf{loser}";
}
} else {
show_source(__FILE__);
}
?>
```
#### Step-2:
Sha1 of `10932435112` is `0e07766915004133176347055865026311692244`
The comparison `if($hash == $target)` is vulnerable because it is not a strict comparison with `===`.
#### Step-3:
So a bit more deep search of `sha1(10932435112)` online gave me links to [Magic Hashes](https://git.linuxtrack.net/Azgarech/PayloadsAllTheThings/blob/master/PHP%20juggling%20type/README.md)
#### Step-4:
So, I tried the URL as any of the below. All have to work because all de-reference to same hash.
- http://chall.csivit.com:30272/?hash=aaK1STfY
- http://chall.csivit.com:30272/?hash=aaroZmOk
- http://chall.csivit.com:30272/?hash=aaO8zKZF
- http://chall.csivit.com:30272/?hash=aa3OFF9m
Any other hashes like MD5, will give false flag of `csictf{loser}`.
<img src="Flag.png">
Voila! I got the flag.
#### Step-5:
Finally the flag becomes:
`csictf{typ3_juggl1ng_1n_php}`