Pico CTF 2022 Web-exploitation

Pico CTF 2022 Web-exploitation

Can you get the flag? Go to this website and see what you can discover.

Local Authority

Flag : picoCTF{j5_15_7r4n5p4r3n7_6309e949}

First we tried to login using random username and password to get the login failed message. We can check the source of the web page and see that there is a php function that’s using password to create a flagfile.

image

From the source, we see another javascirpt file that’s checking for username and password.

image

We can find the flag after successfully logging in.

image

Includes

Can you get the flag? Go to this website and see what you can discover. Flag : picoCTF{1nclu51v17y_1of2_f7w_2of2_f4593d9d}

In style.css

/*picoCTF{1nclu51v17y_1of2_*/

In script.js

// f7w_2of2_f4593d9d}

Inspect HTML

Can you get the flag? Go to this website and see what you can discover.

Can be found in browser’s developer console. Flag : picoCTF{1n5p3t0r_0f_h7ml_dd513514}

Can you get the flag? Go to this website and see what you can discover.

Change the cookie value isAdmin from 0 to 1 to see the flag.

Flag : picoCTF{gr4d3_A_c00k13_dcb9f091}

Search source

The developer of this website mistakenly left an important artifact in the website source, can you find it?

Mirror the webpage with wget as below and search the flag in custom css file using vscode

wget -m <http://saturn.picoctf.net:56488/index.html>

Flag : picoCTF{1nsp3ti0n_0f_w3bpag3s_227d64bd}

Roboto Sans

The flag is somewhere on this web application not necessarily on the website. Find it. Check this out.

  1. Check out robots.txt
  2. Decode the base64 strings
  3. The path will decode to /js/myfile.txt
  4. Navigate to the path and you will see the flag. Flag : picoCTF{Who_D03sN7_L1k5_90B0T5_a4f5cc70}

Forbidden Paths

Can you get the flag? Here’s the website. We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?

Craft the below LFI exploit to read the contents of flag.txt file using relative path. ../../../../flag.txt

Flag : picoCTF{7h3_p47h_70_5ucc355_26b22ab3}

Secrets

We have several pages hidden. Can you find the one with the flag? The website is running here.

gobuster -u http://saturn.picoctf.net:54925/ -w /opt/seclists/Discovery/Web-Content/common.txt -t 20

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://saturn.picoctf.net:54925/
[+] Threads      : 20
[+] Wordlist     : /opt/seclists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2022/03/16 13:07:44 Starting gobuster
=====================================================
/index.html (Status: 200)
/secret (Status: 301)
=====================================================
2022/03/16 13:08:43 Finished
=====================================================

By visiting the the /secret you will get redirected. Just need to put in the port number again to reach the page as shown in the screenshot below. However, there are no flags here. But as we look into the sources via developer console we can see that there is another hidden directory in secret.

image

By diving deeper into the hidden folder and finally we are able to see the secret/hidden/superhidden/ directory as below with the flag in html.

image

Flag : picoCTF{succ3ss_@h3n1c@10n_34327aaf}

SQL Direct

Connect to this PostgreSQL server and find the flag!

psql -h saturn.picoctf.net -p 57594 -U postgres pico
pico=## help;
You are using psql, the command-line interface to PostgreSQL.
Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

pico=# \dt
         List of relations
 Schema | Name  | Type  |  Owner   
--------+-------+-------+----------
 public | flags | table | postgres
(1 row)

pico=# SELECT * FROM flags;
 id | firstname | lastname  |                address                 
----+-----------+-----------+----------------------------------------
  1 | Luke      | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_0414477f}
  2 | Leia      | Organa    | Alderaan
  3 | Han       | Solo      | Corellia
(3 rows)

Flag : picoctf{L3arN_S0m3_5qL_t0d4Y_0414477f}

SQLiLite

Can you login to this website?

username:admin'--
password:admin'--

image

Your flag is: picoCTF{L00k5_l1k3_y0u_solv3d_it_33d32a56}