Pico CTF 2022: Web-exploitation π πΈ π¨π»βπ»
Local Authority
Can you get the flag? Go to this website and see what you can discover.
Flag : picoCTF{j5_15_7r4n5p4r3n7_6309e949}
First we tried to login using random username and password to get the login failed message. We can check the source of the web page and see that there is a php function thatβs using password to create a flagfile.
From the source, we see another javascirpt file thatβs checking for username and password.
We can find the flag after successfully logging in.
Includes
Can you get the flag? Go to this website and see what you can discover. Flag : picoCTF{1nclu51v17y_1of2_f7w_2of2_f4593d9d}
In style.css
/*picoCTF{1nclu51v17y_1of2_*/
In script.js
// f7w_2of2_f4593d9d}
Inspect HTML
Can you get the flag? Go to this website and see what you can discover.
Can be found in browserβs developer console. Flag : picoCTF{1n5p3t0r_0f_h7ml_dd513514}
Power Cookie
Can you get the flag? Go to this website and see what you can discover.
Change the cookie value isAdmin from 0 to 1 to see the flag.
Flag : picoCTF{gr4d3_A_c00k13_dcb9f091}
Search source
The developer of this website mistakenly left an important artifact in the website source, can you find it?
Mirror the webpage with wget as below and search the flag in custom css file using vscode
1
wget -m <http://saturn.picoctf.net:56488/index.html>
Flag : picoCTF{1nsp3ti0n_0f_w3bpag3s_227d64bd}
Roboto Sans
The flag is somewhere on this web application not necessarily on the website. Find it. Check this out.
- Check out robots.txt
- Decode the base64 strings
- The path will decode to /js/myfile.txt
- Navigate to the path and you will see the flag. Flag :
picoCTF{Who_D03sN7_L1k5_90B0T5_a4f5cc70}
Forbidden Paths
Can you get the flag? Hereβs the website. We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
Craft the below LFI exploit to read the contents of flag.txt file using relative path. ../../../../flag.txt
Flag : picoCTF{7h3_p47h_70_5ucc355_26b22ab3}
Secrets
We have several pages hidden. Can you find the one with the flag? The website is running here.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gobuster -u http://saturn.picoctf.net:54925/ -w /opt/seclists/Discovery/Web-Content/common.txt -t 20
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://saturn.picoctf.net:54925/
[+] Threads : 20
[+] Wordlist : /opt/seclists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2022/03/16 13:07:44 Starting gobuster
=====================================================
/index.html (Status: 200)
/secret (Status: 301)
=====================================================
2022/03/16 13:08:43 Finished
=====================================================
By visiting the the /secret you will get redirected. Just need to put in the port number again to reach the page as shown in the screenshot below. However, there are no flags here. But as we look into the sources via developer console we can see that there is another hidden directory in secret.
By diving deeper into the hidden folder and finally we are able to see the secret/hidden/superhidden/ directory as below with the flag in html.
Flag : picoCTF{succ3ss_@h3n1c@10n_34327aaf}
SQL Direct
Connect to this PostgreSQL server and find the flag!
1
psql -h saturn.picoctf.net -p 57594 -U postgres pico
pico=## help;
You are using psql, the command-line interface to PostgreSQL.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
pico=# \dt
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | flags | table | postgres
(1 row)
pico=# SELECT * FROM flags;
id | firstname | lastname | address
----+-----------+-----------+----------------------------------------
1 | Luke | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_0414477f}
2 | Leia | Organa | Alderaan
3 | Han | Solo | Corellia
(3 rows)
Flag : picoctf{L3arN_S0m3_5qL_t0d4Y_0414477f}
SQLiLite
Can you login to this website?
username:admin'--
password:admin'--
Your flag is: picoCTF{L00k5_l1k3_y0u_solv3d_it_33d32a56}