MetaCTF 2020 writeup

Hi everybody! I recently took part in MetaCTF CyberGames 2020 which was held on 24 Oct.

Here is the link if you want to try the challengeshttps://compete.metactf.com/30/


This is my writeup. Hope you all like it!

WEB Exploitation

1. High Security Fan Page

Description- Someone has changed the password to the admin panel. We have to find the password.


  1. On inspecting the source code we found a suspicious JavaScript being loaded into the page.

  2. On visiting the JavaScript we found the username and password to the admin panel. The Flag was the password to the panel.


2. Everyone Loves a Good Cookie

Description- Cookies are used by websites to keep track of user sessions and help with authentication. Can you spot the issue with this site and convince it that you're authenticated?


  1. Upon visiting the page we found an input field and a submit button. We tried common password and hit submit.
  2. The page responds with a Set-Cookie parameter as shown below:
  3. We tried sending request by changing the cookie value to cm-authenticated=1 , but it didn't do anything.
  4. Then we noticed something odd in the console
  5. On navigating to the Docs we found,

  6. Since the samesite attribute is set to Lax the request won't include our modified cookie i.e cm-authenticated=1 until and unless the Http method is GET.
  7. so we used burp to change the request method and cookie
  8. and we got the flag in response.


3. Barry's Web Application

Description- We have to gain access to personal Docs of Barry.

  1. You can see above that the URL to the index page seems like a directory . lets visit /dev directory.
  2. We find the personal Docs of Barry in /dev directory.

  3. On visiting docs/ dir we found the flag.

4. Careless redirects

Description- We have to exploit misconfigured redirects.
1. On visiting the site we are given a Doc . The website has only 2 services to offer file share and HR portal.

2. The document is regular Lorem ipsum Doc nothing there. On visiting your files we are told that we should go to SSO portal and login as admin@decacorp.com . Now we have a username . 


3. Since the challenge says careless redirects, you can notice how it is redirecting us to different ports for different service i.e 4550, 4552 and 4553.

4. Looking at the request in Burp we see bunch of redirects and nearly every redirect has a username and password except.

5. The above request has only username and no key and also this redirect is for the SSO portal. It makes sense to change this username to admin@decacorp.com and it did.


CRYPTOGRAPHY:

1. Welcome to the Obfuscation Games!

Description- We are given a command , we have to find the flag.
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

The code indicates a BASE64 code on decoding it we find it is a Gzip file.


Executing below command we get the Gzip file.

Open the file and you get the Flag.





Comments

Post a Comment

Popular posts from this blog

Agent Sudo Challenge

Image
Hi everybody! I am back with yet another CTF Challenge. You all can try this challenge at https://tryhackme.com/room/agentsudoctf . Let's Begin. 1. we have to enumerate the given Vm link to find how many service ports are open. Nmap results will give you the no of open ports. 2. Now we have to redirect ourself to a secret page. if you visit the site it says that you have to use your own agent and the hint tells us to use agent C. we can change our web browser agent through Dev tools or using external plugins from web store. 3. Now load the main page again and you will get a message. 4. Now we know the username and we also now he has a weak password. In nmap scan we found that a ftp port is open. we can use hydra on this port to find Chris's password. Boom! we found his password. 5. login using ftp and list the directory. we find 3 files . 6. Download these files. 7. There is a message in To_agentJ.txt . It says that the login password is in the fake pic's. This clearly in
Read more

Mr. Robot Walkthrough

Image
Hello everybody! this is my first CTF walkthrough and i am very excited about it. I hope u all like it. I will be solving Mr robot CTF. You all can visit this link and try the lab for yourself its free https://tryhackme.com/room/mrrobot . 1. we will enumerate the target vm for services using nmap tool. we see that port 80 is open for http service. 2. we use gobuster on https://10.10.65.169:80 with . gobuster dir -u http://10.10.209.121:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt we have found a directory named robots (coincidence! i think not). we traverse to robots directory and what do we find. it tells us about 2 files one is a key and other a dictionary. first we get the key. we will then download the fsocity.dic . 3. we will run nikto tool on the target vm to find hidden files. from above result we see that there is a log
Read more