KnightCTF Web Writeups - Part 2

Knight CTF Web Writeups

CTF Name : KnightCTF 2022

Category : Web

Hello CTF Players ! Lets See the Web Writeups of KnightCTF 2022 - Part II

Before Reading this, Read Part I

6 . Can You Be Admin?

### Web Page Looks Like this:

#### Upon changing the header to KnightSquad

Response: This page refers to knight squad home network. So, Only Knight Squad home network can access this page.

Now, Adding a Header Referer: localhost

Server Responded with a Login Page:

Here, author commented some encoded Stuffs

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])....A Long Encoded String

By Decoding the with JSFUCK Decoder

Again Decode this decoded text with ascii-85

Using this creds and Login

There are some Cookie is tracking us

VXNlcl9UeXBl and Tm9ybWFsX1VzZXI= are Base64 Encoded.

Tm9ybWFsX1VzZXI -> Base64 Decode -> Normal_User

Now, Encode Admin in Base64 and Replace with Normal_User

Flag: KCTF{FiN4LlY_y0u_ar3_4dm1N}

7 . My PHP Site

Web Page Looks Like :

In Url, there is a File param, with is vulnerable to to LFI

file=/etc/passwd retuns

As he mentioned, its php site, so, lets View index.php with php wrappers

Payload: php://filter/convert.base64-encode/resource=index.php

Decode this string with Base64

But, the s3crEt_fl49.txt in the web root dir.

Flag: KCTF{L0C4L_F1L3_1ncLu710n}


First Look:

Upon checking the Source Code:

We need to Send a Post Request to /api/request/auth_token endpoint

It returns a auth_token.

upon adding X-Authorized-For: <auth_token> to the request,

Its, Redirects to /admin_dashboard

Flag: KCTF{cOngRatUlaT10Ns_wElCoMe_t0_y0ur_daShBoaRd}

9. Find the Pass Code 2

This is the 2nd Version of a another chal.

First Look:

He had Mentioned already, that ?source will give the Source


There is something called PHP type juggling.

Loose Comparison and Strict Comparison

Learn More

Magic String Used : 0e1137126905

Flag: KCTF{ShOuD_wE_cOmPaRe_MD5_LiKe_ThAt__Be_SmArT}

10 . Most Secure Calculator - 2

First Look:

Upon Viewing the Source:

Looks Like, Some Regex is filtering the Inputs

Note: Only Numbers and Symbols are Accepted, Our Input is Passed to eval()

So, We are Going to Encode Our payload into Octal

Here, ( ) ' are allowed, So, we not need to encode these characters

Then, Remove White Spaces and add \ and add " before a ()

So, Our Payload: "\163\171\163\164\145\155"("\143\141\164\40\146\154\141\147\56\164\170\164")

Flag: KCTF{sHoUlD_I_uSe_eVaL_lIkE_tHaT}