ICMTC CTF Qualifications 2023 Web Challenge Write-up
Hi , My name is Ahmed Magdy :)
I would like to thank all the organizers for this CTF
Let’s go solving the web challenge
1 - Challenge Name : Ping me
A ping (Packet Internet or Inter-Network Groper) is a basic Internet program that allows a user to test and verify if a particular destination IP address exist
This input using the terminal linux and print the output of commend
When input any commend with spaces it is donot allowd
I have trick using commed without any spaces
After researc in server i find dir name /tmp
After reading the content files i find many flags one of them is correct
2 - Challenge Name : Comparison
This code php comparison the input in patametr text
If the condition true and true will print the flag
I have found that 0010e2 = 1e3 = 1000
The correct flag is when 1000 in text parameter
3 - Challenge Name : hidden in plain sight
I don’t find anything in source code
Let’s see what is in robots.txt
When open the /su3rSecrttttt/ it is redirction to login page
i will try SQL injection if anything happens
new i need bypass the login page
Input in username admin’# and any password
Looool Fake FlAG :(
When open the /su3rSecrttttt/ again becous iam logined as admin
4- Challenge Name : EvilCalc
When i see the challenge think it is SSTI
So let’s do it the vlun parametr is taxes
after try some method i send the request to my server
It is work i inderstand the ReferenceError and i will send onathe request but with {JSON.stringify(process.env)
5- Challenge Name : Maze
After creat account and login : admin@admin.com
get the fake flag again
I find comment in source code
<!-- The developer forget to remove /read_file?file -->
it is LFI vlun and i can read some file
and The debugger caught an exception in your WSGI application is run
read the app.py file with LFI
after code review fine the Reset Password function is vlun with AES-128-padding-attack
when input any mail will creat reset token
I create script to get the secret key >> resources
Aftrer i get the secret key i change the role from user to admin