Points: 300
Web Exploitation
We found a hidden flag server hiding behind a proxy, but the proxy has some... interesting ideas of what qualifies someone to make HTTP requests. Looks like you'll have to do this one by hand. Try connecting via
nc 2018shell1.picoctf.com 42496, and use the proxy to send HTTP requests toflag.local. We've also recovered a username and a password for you to use on the login page:realbusinessuser/potoooooooo.
Be the browser. When you navigate to a page, how does your browser send HTTP requests? How does this change when you submit a form?
Doing an initial GET request for /, we can see a link to /login
GET / HTTP/1.1
Host: flag.local
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 321
etag: W/"141-LuTf9ny9p1l454tuA3Un+gDFLWo"
date: Sun, 30 Sep 2018 14:26:00 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
<a href="/login">Login</a>
</header>
<main>
<p>You need to log in before you can see today's flag.</p>
</main>
</body>
</html>When we do another GET request for /login, we can see the paramters of required. We can use the username and password provided in the question.
GET /login HTTP/1.1
Host: flag.local
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 498
etag: W/"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I"
date: Sun, 30 Sep 2018 14:35:39 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
<a href="/login">Login</a>
</header>
<main>
<h2>Log In</h2>
<form method="POST" action="login">
<input type="text" name="user" placeholder="Username" />
<input type="password" name="pass" placeholder="Password" />
<input type="submit" />
</form>
</main>
</body>
</html>When we send a POST request to /login with the username and password, a cookie is set.
POST /login HTTP/1.1
Host: flag.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Connection: keep-alive
Upgrade-Insecure-Requests: 1
user=realbusinessuser&pass=potoooooooo
HTTP/1.1 302 Found
x-powered-by: Express
set-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/
location: /
vary: Accept
content-type: text/html; charset=utf-8
content-length: 46
date: Sun, 30 Sep 2018 14:37:38 GMT
connection: keep-alive
<p>Found. Redirecting to <a href="/">/</a></p>All we have to do now is input in the cookie for / and get the flag.
GET / HTTP/1.1
Host: flag.local
Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D;
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 438
etag: W/"1b6-eYJ8DUTdkgByyfWFi6OJJSjopFg"
date: Sun, 30 Sep 2018 14:38:54 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
<div class="user">Real Business Employee</div>
<a href="/logout">Logout</a>
</header>
<main>
<p>Hello <b>Real Business Employee</b>! Today's flag is: <code>picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}</code>.</p>
</main>
</body>
</html>Working solution solve.py
picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}