🕵️ h1-ctf: Wholesome Hacky Holidays: A Writeup
Nachrichtenbereich: 🕵️ Sicherheitslücken
🔗 Quelle: vulners.com
Flag 1 Warm-up: flag{48104912-28b0-494a-9995-a203d1e261e7} Checking the robots.txt the flag can be found. Also a path is revealed: /s3cr3t-ar3a Flag 2 It's right in front of you: flag{b7ebcb75-9100-4f91-8454-cfb9574459f7} With the previously found path /s3cr3t-ar3a, the flag was hidden in plain sight. Opening the dev tools and searching for flag reveals it. Flag 3 People Rater: flag{b705fb11-fb55-442f-847f-0931be82ed9a} On the front page a new button Apps appeared. One app, the People Rater is aviailable. At URL https://hackyholidays.h1ctf.com/people-rater we can use the Grinch People Rater by clicking one of the names. For example selecting Tea Avery pops an alertbox with Awful. Looking at the request in Burp: Request: GET /people-rater/entry?id=eyJpZCI6Mn0= HTTP/1.1 Host: hackyholidays.h1ctf.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: https://hackyholidays.h1ctf.com/people-rater Response: ``` HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 15 Dec 2020 03:47:29 GMT Content-Type: application/json Connection: close Content-Length: 57 {"id":"eyJpZCI6Mn0=","name":"Tea Avery","rating":"Awful"} ``` In the request, we see the parameter id=eyJpZCI6Mn0= which is an encoded base64 string. Decoding it reveals {"id":2}. Simply replacing the value with... ...
🍏 Checklist 309: The Hacky Holidays Special
📈 40.27 Punkte
🍏 iOS / Mac OS
🐧 Wholesome linux
📈 24.82 Punkte
🐧 Linux Tipps
📰 Wholesome Direct 2020 angekündigt
📈 24.82 Punkte
📰 IT Nachrichten
🕵️ Writeup to the FLARE-ON 7 challenge
📈 18.62 Punkte
🕵️ Reverse Engineering
🔧 HackTheBox - Writeup Sau [Retired]
📈 18.62 Punkte
🔧 Programmierung