Loading...
Blog Featured Image

PICOCTF 2018

Before you start reading this specific "guide" please pay attention to the following warning:

!!

This is not suitable for experiencied people as I try to explain the procedures as much as possible and use friendly terms.

IF YOU ARE A BEGGINNER PLEASE DON'T GO STRAIGHT TO THE ANSWER/FLAG. Read the whole text and try to understand how everything works... because after all what matters is the knowledge acquired

!!

Inspect Me

So this first challange is pretty simple. We got our first hint in the name of the chall itself "Inspect Me". So that tells us that we should inspect the website. As you may know, there is a tool in most browsers called "Inspector"... As you look through the website and open the "about" tab, they give us another hint: "HTML CSS JS (Javascript)". So basicly all we have to do here is look a bit through the HTML, CSS and JS files that are being included on the website.

If you want to try it for yourself, don't read any further, press F12 and start "inspecting" ;)

We can find the first part of the flag in the html like so

So we know that there are 2 other parts somewhere... lets check the included files. As we can see by the following screenshot, there are 2 css files being included "css.css" and "mycss.css" Lets open them and see whats in there!

Part 3 is empty so we got the flag just by inspecting HTML and CSS.

picoCTF{ur_4_real_1nspect0r_g4dget_402b0bd3}

Logon

This being the second web challange, we can't expect it to be as easy as the first one right? So this time we've got a Login system. If we press "Sign In" without adding any input it says that we are logged in (somehow) but we are not able to see the flag... so this has to be a cookie challenge.(Not sure how cookies work? learn more here)

There are two ways to solve this... you could either use the developer tools (which is included in most browers) to edit the http requests or you could use a tool like BurpSuit. (If you don't know how to use Burpsuit, you should watch this tutorial)

Using the Dev Tools is pretty simple... Go on the Network Tab, and you should have listed a GET request on "flag" just like shown bellow.
Click on it and on the right side, you should have a button saying "Edit and Resend", click on it. Look for the cookie called , surprisingly, "admin" and change it from "False" to "True". After that click on the small button "Send". After that you should have a new request on the list, click it, go on the response tab, scroll a little bit and you should find the flag there!


Irish Name Repo

On this challange we are finally introduced to SQL Injection. As you surf through the site you will come up with a Login page (login.php) If you enter dummy data it will return as "login failed" which tells us that there is in fact a validation. Lets intercept the http request just like we did on the previous challange.
Okay... interesting... there is a "debug" field being submitted... What happens if we replace the "0" by "1"?

Look! The query is exposed!

As you might know... login will only be successful if the query returns "true". If we don't know the correct credentials, how are we able to make it return true?
Well.. this is where SQL Injection comes in. What would happen if we input our "pass" with something like ' or 1=1 ? (dont forget to change debug to 1) Try it yourself.

Whoa... why didn't it work you wonder... If you look carefuly at the query itself the syntax isnt right... there is a ' at the end which makes it return an internal error. So now we just have to "play around" with our payload until we write it the right way so it fits the syntax... which in this case would be something like ' or '1'='1 and voilĂ ! We got the flag!

MR. Robots

This is a challenge to test your overall knowledge on websites.
The name for this challange already gives the solution away. Here is some knowledge that might help you solve this before I spoil it for you.

"Web Robots (also known as Web Wanderers, Crawlers, or Spiders), are programs that traverse the Web automatically. Search engines such as Google use them to index the web content, spammers use them to scan for email addresses, and they have many other uses."
So... basicly its common to have a "robots.txt" file in the root of the domains... Lets check if there is such file on this website

Seems like there is! Let's try opening it!


No Login

Honestly... this challange is completely trial and error... Here is why: So... we've got a page where sign in and sign out doesn't work and we are asked to be an admin user in order to retrieve the flag... this means that the only way they could know that we are admins or not is by setting up a cookie.

Lets try pressing the big green button and have burpsuit intercept the request:

Surprisingly there isnt a single cookie related to being an admin or a regular user. At this point, our best bet is to guess the name and value of the cookie that is gonna give us the admin status. Here are a couple options that we could have went for:

admin=true
adm=true
admin=1
admin=yes
superuser=1
superuser=true

The possibilities are endless... but thankfully they didnt pick a hard one as the solution.


Secret Agent

The Name of the challange gives it all away. Just like the previous challange, nothing works except the big green button. Once we click it they tell us "You're not google!"
What does this mean exactly? So, one of the headers that is usually sent on HTTP Requests is the "User-Agent". Here is a brief explanation on what the User-Agent is:

"The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system [...]"
If you didn't know about the User-Agent I recommend you go read a little bit about HTTP Headers. Basicly we have to "fake" our identity and tell the "website" that we are an entity from google. How do we do that you wonder... well... we can just google "User-Agents from Google"... and after a quick search we can find something like
"Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
So all we gotta do is replace our User-Agent with the one we found. And there we go!


Buttons

So this challange is literally a troll haha. So... There are 2 buttons... the first one looks like a normal one but the second is a link. After we click the second "button" we get redirected to this "boo" page.
Honestly... there is no science behind this... but lets try to understand what is happening here... When we inspect the first button we can see that it is inside a form and will submit a POST Request

form action="button1.php" method="POST"
The second one will submit a GET Request
a href="button2.php">Button2
So... if we pressed the first button it lets us continue our button clicking journey, then why did the second one redirect us? Basicly the php file "button2.php" is configured to redirect GET Requests to "boo.html"... what happens if we change the request from GET to POST? Voila! We got the flag!

The Vault

This one is actually really useful to train code auditing! I highly recommend you try to figure this one out by yourself.

Well.. if you are reading this its because you didnt manage to figure it out... don't worry , I will help you understand it. So... we are dealing with a login system and we have access to the login source code, what else could we ask for? Lets analise the most important lines of the source code!
So... we've got 3 input variables : $username , $password and $debug.
We've got the full query which is very similar to the one on "Irish Name Repo", and then we've got the block of code that is supposed to check our input for SQL Injection
They are using the function preg_match to filter the variables... but which variables are they filtering? If you pay closer attention you will notice that they are checking twice the $username, which makes the $password unprotected!
So... lets try a simple sqli payload on the password field like so...
And we got the flag!


Artisinal Handcrafted HTTP 3

Unfortunately by the time i was re-doing this CTF, the port to this chall was unreachable... I will update this page if they get the service back on running again

Flaskcards

As you might imagine... there are multiple back-end frameworks. The name of the challange gives away which type of framework we are dealing with.
In this case is Flask. After googling for a while, I came up with this amazing article.

At the article they mention the following:

{%....%} are for statements
{{....}} are expressions used to print to template output
{#....#} are for comments which are not included in the template output
#....## are used as line statements

We are presented with a page to register and login... lets start by creating a new user and then login into it.
It looks like we are able to create some cards and that seems to be vulnerable spot. Im gonna save you some time and tell you that the Admin page is just a decoy...

After a bit of research, the flask framework has a template called Config where it stores all sorts of variables. What if, with the knowledge we obtained before, we try to print out the config template?
head to the "list cards" page and voilĂ !


Fancy Alive Monitoring

Coming Soon...


Secure Logon

Get ready for this one, because this is more of an Cripto chall than a web exploit one. ps: I solved this using python.

Okay so... It seems that we only have a sign in button... which means that, whatever we type in there is gonna be, most likely, stored in a cookie.
They want us to become admin and they also give us the "blueprint" to the cookie. IF we had the encryption key, we could just build our own json, encrypt it, base64 encode it and replace it. BUT thats not the case... so... after a long time of researching, I found this webpage here that will basicly teach you a cool "attack" called: CBC Bit Flipping

I highly recommend you go there and read the whole thing.
That being said, I've built this simple python script that XORs the bit at the 11th position, which is where the flag "0" of admin is, then base64 encode it and spits it out


Feel free to use if you want to try it for yourself, just replace the var C by your cookie.

from pwn import *
c = '/7LJWRLEtmKcCRj3qsLR4/0udHgkOt3aT1L/U10949WWGv4LuoW5THTe/p4HkBqkU+Xgq8ljJkAUtL8BRPnov1Bd6pPRPOkXBK+NE2PLLuk='.decode('base64')
c = c[:10] + xor(c[10], '0', '1') + c[11:]
print c.encode('base64').replace('\n','')

and there we go, we got the flag.


Flaskcards Skeleton Key

Just like any symmetric encryption method, if you have the final result (hash) and the encryption key, you are able to de-encrypt the hash into the original string. Which is what is going to happen in this case

I searshed on google for something like "flask session cookie decoder" and you will find a couple of links. I personally used this one to solve this:
https://github.com/noraj/flask-session-cookie-manager

Using this script by Noraj, we are able to decode the hash, modify it as we need, encode it again using with the same key, replace the old cookie on the browser and get the flag!

Simple!


Help Me Reset 2

We are presented with a Login and Recover Account Page.
We certaintly don't know any login credentials so, the vulnerable path should be through the Recovery Page.
As I was crawling around, I noticed an hmtl comment at the bottom of the index file... it seemed to be a username.


Let's head to the recovery page and try to recover that one username.
Nice! We are getting somewhere! Now all we have to do is guess the answer to 3 questions... But here is some tips that you might need...
If your account gets "blocked" , don't worry, it's just a cookie. Delete it and start again.

The easiest way to do this is trying to guess just 1 of the answers, for example, the favorite color, and then keep refreshing the page
until you answer the same question 3 times. Once thats done, you should be able to reset the account with a new password, login and obtain the flag!


A Simple Question

Coming Soon...


Flaskcards and Freedom

Coming Soon...