No Paste
- Checking the website, we can see that the
inputis disabled
- Checking the source, we get
script.jsanalyzing it
const _2f7956 = document.getElementById('challengeInput').value;
fetch('/submit?input=' + encodeURIComponent(_2f7956), {'method': 'POST'})
.then(_101da1 => _101da1.json())
.then(_5c2193 => {
const _ae2c45 = document.getElementById('result');
_5c2193.success ? _ae2c45.textContent = 'Flag: ' + _5c2193.flag : _ae2c45.textContent = _5c2193.message;
})
.catch(_3c7f8d => {
console.error('Error:', _3c7f8d);
});
- We are able to see if we send a
POSTrequest with/submit?input=and inputbypass123
- Constructing a request accordingly using
burp
POST /submit?input=bypass123 HTTP/2
Host: paste.h7tex.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0- Once we send the request, we obtained the
flag
Code Breaker
- Checking the website, there is a login page
- There is also an admin page, in endpoint
/admin
- Logging in with the mentioned credentials
- Analyzing the
requests and responsesin burp, we are able to see that thesession idis just thebase64encoded username followed by some random digits. Example, in this case,user1is the username and738are random digits
- Changing the
user1toadminand trying different random digits, also changing the endpoint to/admin - We are able to get the right
admin cookiein the response
- Now changing the cookie to the intended value, we get the
flag
NewsLeaks
- Checking the website, we are able to find different news paper articles
- Analyzing the
requestswe are able to seefileparameter, so it could beLocal File Inclusion (LFI)
- We can use different payloads from online if you are not aware of performing
LFIYou can bruteforce the payloads from here (opens in a new tab) - We are gonna try the manual way, usually the web root directory will be in
/var/www/htmlSo keeping that in mind and trying,../../../etc/passwd
- We are able to see, that its filtering some
/and. - Trying to double it and see, example:
....//....//....//etc/passwd
- We can see
3 dotsare reflected, so removing1 dot, the final payload,...//...//...//etc/passwd
YAAYYYYYYbut wait, where is the flag, our payload bypassed the filter, but we still need to figure out the number of directories. Thinking, or trying adding on...//understanding, there is/newsdirectory, so we need to go back one extra time
- We got the
flag
Paper Chase
- This is similar to the previous one, but with better filters.
REALLY?LOL!
- Analyzing the
requestswe are able to seefileparameter, so it could beLocal File Inclusion (LFI) - Trying the same payload, that we found. We are able to see, when there is
2 dotsit is converting to#
- Trying different approaches, so succeeded
file:So trying it and extracting the contents
file:///etc/passwd- We got the
flag
Pizza
- I was the only guy to solve this challenge,
NOT A FLEX:)
- Registering, and logging in as a new user
- Analyzing the
requests and responsesin burp, we getJWT
- Using
jwt.ioto decode, changing theisAdmintotrueand sending thetoken
- But when we submit the cookie, its saying
invalid token
- Trying to crack the
secretusinghashcatusing jwt.secrets.list
$ hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list**
- Signing using the
secretkey, and changing the cookie
- Adding an item to cart, and opening
cart - Placing the order
- Entering the information
- We get the order details
- Analyzing the
requests and responsesin burp, we are able to see the token of theorder
- Also while querying the
order statusthere is a endpoint going/api/order/SUQ1
- The endpoint
SUQ1isbase64encoded
- Modifying the base64 encoding to
ID0which isSUQw
- Trying to query the order, with the
generated JWT - We can also change the
cookie tokenincookie editor
- We got the
flag
