ASC Wargames Qualifications 2022 Web Challenge Write-up
Hi , My name is Ahmed Magdy :)
I participated last year, but I will not participate this year with team because I was busy preparing some more important things than the competition.
I would like to thank all the organizers for this CTF
Let’s go solving the web challenge
1- Challenge Name : Warm-Up > Drunken Developer
When i check the source code i find the
Make Mail admin = wars_admin1@vistaemail.com
And send the requested to change your account’s password
Flag : ASCWG{%Sca21_QS_2!3eSKC&qw9@_warmup}
2- Challenge Name : Konan
This site enter username to send the OTP
we need admin OTP
make brute forcing OTP but it is not work and not allowed
ِAny OTP i send it >> Errors and reason invalid OTP
Change response from True to False
Flag : ASCWG{@$CASQWsd#w8_3232_xasw_xas@1da_easy}
3- Challenge Name : Evil Volunteer
After register and login
After many attempts to upload a file php i Failed
I will upload normally photo
When delete handle we can see the photo with base64
I will inject JS code in file
I will inject PHP code in file to get RCE
<?php system($_GET[‘cmd’]); ?>
when cat flag.php
Flag : ASCWG{f$@wef#23_4_as_KR_qwq21_21aasd_medium_1}
4- Challenge Name : Doctor X
After register and login
I find local storage data
i will edit it from UserID : 656 to UserID : 1 to login as admin
woo dashboard is change to dashboard admin
when login with username and pass it is normal user not admin i need admin with id 1 not 11
after add ( } ) in request to show any error
I need damp all user info
Flag : ASCWG{@#921$s_24sd_ASD_544ASX_medium_2}
End the web challenge…… I solve it :)
