Added Web Challenges
After Width: | Height: | Size: 16 KiB |
|
@ -0,0 +1,28 @@
|
|||
## Cascade
|
||||
The main idea finding the flag is just viewing the page source.
|
||||
|
||||
#### Step-1:
|
||||
After I visited the URL: http://chall.csivit.com:30203, this web page was shown:
|
||||
|
||||
<img src="Web1.png">
|
||||
|
||||
|
||||
#### Step-2:
|
||||
|
||||
I tried all `/robots.txt`, `/flag.txt` or any access to tiny server by `//`. Also by visiting both given links, didn't give any flags.
|
||||
|
||||
#### Step-3:
|
||||
Now, I searched for page source, and got this web page.
|
||||
|
||||
<img src="Web2.png">
|
||||
|
||||
I explored for `/static/style.css`.
|
||||
|
||||
#### Step-4:
|
||||
<img src="Flag.png">
|
||||
|
||||
Voila! I got the flag.
|
||||
|
||||
#### Step-5:
|
||||
Finally the flag becomes:
|
||||
`csictf{w3lc0me_t0_csictf}`
|
After Width: | Height: | Size: 48 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 5.5 KiB |
|
@ -0,0 +1,28 @@
|
|||
## Mr Rami
|
||||
The main idea finding the flag is accessing dormant sub domains of the site.
|
||||
|
||||
#### Step-1:
|
||||
After I visited the URL: [http://chall.csivit.com:30231](http://chall.csivit.com:30231), this web page was shown:
|
||||
|
||||
<img src="Web1.png">
|
||||
|
||||
|
||||
#### Step-2:
|
||||
|
||||
I tried http://chall.csivit.com:30231/robots.txt and I got this:
|
||||
|
||||
<img src="Robots.png">
|
||||
|
||||
#### Step-3:
|
||||
There we got that `Disallow: /fade/to/black`, so I explored that URL:
|
||||
http://chall.csivit.com:30231/fade/to/black
|
||||
|
||||
|
||||
#### Step-4:
|
||||
Voila! I got the flag there.
|
||||
|
||||
<img src="Flag.png">
|
||||
|
||||
#### Step-5:
|
||||
Finally the flag becomes:
|
||||
`csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}`
|
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 226 KiB |
|
@ -0,0 +1,29 @@
|
|||
## Oreo
|
||||
The main idea finding the flag is just tweaking the cookies.
|
||||
|
||||
#### Step-1:
|
||||
After I visited the URL: http://chall.csivit.com:30243/, this web page was shown:
|
||||
|
||||
<img src="Web1.png">
|
||||
|
||||
|
||||
#### Step-2:
|
||||
|
||||
I tried inspecting the element, but it wasn't helpful. So I checked the cookie and got a cookie `flavour` with value `c3RyYXdiZXJyeQ%3D%3D`.
|
||||
|
||||
#### Step-3:
|
||||
It was simple Base64 and I decoded it to get `strawberry`.
|
||||
|
||||
<img src="base64_decode.png">
|
||||
|
||||
#### Step-4:
|
||||
So I got to change the flavor to chocolate as in description. So I encoded `chocolate` accordingly, to get:
|
||||
|
||||
<img src="base64_encode.png">
|
||||
|
||||
#### Step-5:
|
||||
I loaded that base64 encoding `Y2hvY29sYXRl` as a cookie and refreshed the page to get the flag.
|
||||
|
||||
#### Step-6:
|
||||
Finally the flag becomes:
|
||||
`csictf{1ick_twi5t_dunk}`
|
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 41 KiB |
After Width: | Height: | Size: 48 KiB |
|
@ -0,0 +1,10 @@
|
|||
## Secure Portal
|
||||
The main idea finding the flag is decoding the script given.
|
||||
|
||||
#### Step-1:
|
||||
I couldn't understand on how to proceed, so here is the writeup I followed.
|
||||
https://github.com/skyf0l/CTF/blob/master/CSICTF_2020/Web.md#secure-portal
|
||||
|
||||
|
||||
#### Step-2:
|
||||
`csictf{l3t_m3_c0nfus3_y0u}`
|
After Width: | Height: | Size: 6.0 KiB |
|
@ -0,0 +1,55 @@
|
|||
## Warm Up
|
||||
The main idea finding the flag is exploiting PHP type juggling.
|
||||
|
||||
#### Step-1:
|
||||
After I visited the URL: http://chall.csivit.com:30272/, I was greeted with below code:
|
||||
|
||||
```php
|
||||
<?php
|
||||
|
||||
if (isset($_GET['hash'])) {
|
||||
if ($_GET['hash'] === "10932435112") {
|
||||
die('Not so easy mate.');
|
||||
}
|
||||
|
||||
$hash = sha1($_GET['hash']);
|
||||
$target = sha1(10932435112);
|
||||
if($hash == $target) {
|
||||
include('flag.php');
|
||||
print $flag;
|
||||
} else {
|
||||
print "csictf{loser}";
|
||||
}
|
||||
} else {
|
||||
show_source(__FILE__);
|
||||
}
|
||||
|
||||
?>
|
||||
```
|
||||
|
||||
|
||||
#### Step-2:
|
||||
|
||||
Sha1 of `10932435112` is `0e07766915004133176347055865026311692244`
|
||||
|
||||
The comparison `if($hash == $target)` is vulnerable because it is not a strict comparison with `===`.
|
||||
|
||||
#### Step-3:
|
||||
So a bit more deep search of `sha1(10932435112)` online gave me links to [Magic Hashes](https://git.linuxtrack.net/Azgarech/PayloadsAllTheThings/blob/master/PHP%20juggling%20type/README.md)
|
||||
|
||||
#### Step-4:
|
||||
So, I tried the URL as any of the below. All have to work because all de-reference to same hash.
|
||||
- http://chall.csivit.com:30272/?hash=aaK1STfY
|
||||
- http://chall.csivit.com:30272/?hash=aaroZmOk
|
||||
- http://chall.csivit.com:30272/?hash=aaO8zKZF
|
||||
- http://chall.csivit.com:30272/?hash=aa3OFF9m
|
||||
|
||||
Any other hashes like MD5, will give false flag of `csictf{loser}`.
|
||||
|
||||
<img src="Flag.png">
|
||||
|
||||
Voila! I got the flag.
|
||||
|
||||
#### Step-5:
|
||||
Finally the flag becomes:
|
||||
`csictf{typ3_juggl1ng_1n_php}`
|