Pico CTF | sawicky's space

picoCTF Web Exploitation Reflections

Inspect Me (125 pts)

Incredibly basic, just view source of web page for part 1 of flag, then inspect the attached .js and .css scripts for part 2 and 3

1	picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105

Client Side is Still Bad (150pts)

Using inspect source again, flag is provided in plain text and password is verified client side.

Rejoin the split text to form the flag:

1	picoCTF{client_is_bad_5e06ac}

Logon (150pts)

This one threw me off a little bit, as being the 3rd in series for Web Exploitaion you’d expect to be quite easy. I gained this flag by simply editing the cookie parameter of the ‘admin’ field to True instead of False. I know this was not the solution, as this is the solution for a later challenge but it still worked.

The cookie was edited using a Cookie Editor extension for chromium based browsers

1	picoCTF{l0g1ns_ar3nt_r34l_82e795f4}

Irish Name Repo (200 pts)

Very simple SQL injection attack, as the hint suggested profiles were kept in a database. Used the most basic injection:

1	' OR 1=1;--

1	picoCTF{con4n_r3411y_1snt_1r1sh_8cf1b7e7}

Mr. Robots (200pts)

The name of this challenge reveals the answer - The robots.txt file provides web crawlers some parameters used in SEO, aswell as ‘asking’ a robot not to visit a specific page.
The robots.txt file of this challenge provided a hidden web page: http://2018shell.picoctf.com:10157/143ce.html

This page reveals the flag.

1	picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}

This is the challenge that I accidently solved for an earlier challenge. It seems this one uses the same cookies as Logon (150pts), which means the flag was revealed to me immediately, as I have already changed the Admin parameter of the cookie to true;

1	picoCTF{n0l0g0n_n0_pr0bl3m_ed714e0e}

Secret Agent(200 pts)

The hint is in the name of this challenge and the hint - What part of the browser identifies you, and how can you pretend to be someone else?
This part is the User Agent, and a quick google search of how to spoof the user agent (can be done in Developer Tools of chromium), as well as reading the failure message when you attempt to get the flag (You’re not google!) will lead you into spoofing your browser to have the GoogleBot User agent.

1	picoCTF{s3cr3t_ag3nt_m4n_ac87e6a7}

Buttons(250pts)

This simple php application begins with a button. When you click that button, you are taken to another page with a second button. If you click this button, you get rickrolled.

The hint suggests that the buttons are different, so we need to inspect the source code to find out how:

Button 1 seems to be within a form with a POST action. Nothing wrong here

Button 2 seems to just be a hyperlink. What?? How are we meant to pretend as though Button 2 is a POST form?

I used an application called Postman (which used to be a browser extension) to forcefully send a POST request to the button2.php page, instead of treating it as a hyperlink

The response of the POST request returned the flag

1	picoCTF{button_button_whose_got_the_button_3e5652dd}

The Vault (250pts)

This is the first challenge that I found challenging. It is a simple login form with the PHP code provided that also checks for SQL Injections.

Upon opening this challenge, you are given a link to view the source code:

You can see that when you submit information via the post, it first sanitizes any attempt at XSS via the htmlspecialchars() method, which is a common PHP method for sanitzation.
It then checks to see if either your username matches the REGEX pattern, which evaluates to ‘ OR or “ OR
If either of your inputs contains that string, then the preg_match() method returns true, or 1, and the code then checks if any of your inputs scored 1 or above, which would indicate one of those fields containing the filtered REGEX pattern, indicating an SQL attack.

After much tinkering with various SQL statements, forced POSTs using Postman, it dawned on me that you can escape an SQL query without using OR if you already knew one of the inputs.
So, I guessed that the username was ‘admin’, and then escaped the rest of the query using ‘;–
Logging in with admin’;– and any password provided the flag.

1	picoCTF{w3lc0m3_t0_th3_vau1t_c4738171}

Artisinal Handcrafted HTTP 3 (300pts)

This challenge directs us to use ‘nc’ or Ncat to connect to 2018shell.picoctf.com using port 38686, and attempt to handcraft a HTTP request in order to find the flag.
Unfortuantely, I get a connection refused if I attempt this on a host or guest machine, and may have to come back to this later because I don’t think this is intended.