No Paste
- Checking the website, we can see that the
input
is disabled
- Checking the source, we get
script.js
analyzing it
const _2f7956 = document.getElementById('challengeInput').value;
fetch('/submit?input=' + encodeURIComponent(_2f7956), {'method': 'POST'})
.then(_101da1 => _101da1.json())
.then(_5c2193 => {
const _ae2c45 = document.getElementById('result');
_5c2193.success ? _ae2c45.textContent = 'Flag: ' + _5c2193.flag : _ae2c45.textContent = _5c2193.message;
})
.catch(_3c7f8d => {
console.error('Error:', _3c7f8d);
});
- We are able to see if we send a
POST
request with/submit?input=
and inputbypass123
- Constructing a request accordingly using
burp
POST /submit?input=bypass123 HTTP/2
Host: paste.h7tex.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
- Once we send the request, we obtained the
flag
Code Breaker
- Checking the website, there is a login page
- There is also an admin page, in endpoint
/admin
- Logging in with the mentioned credentials
- Analyzing the
requests and responses
in burp, we are able to see that thesession id
is just thebase64
encoded username followed by some random digits. Example, in this case,user1
is the username and738
are random digits
- Changing the
user1
toadmin
and trying different random digits, also changing the endpoint to/admin
- We are able to get the right
admin cookie
in the response
- Now changing the cookie to the intended value, we get the
flag
NewsLeaks
- Checking the website, we are able to find different news paper articles
- Analyzing the
requests
we are able to seefile
parameter, so it could beLocal File Inclusion (LFI)
- We can use different payloads from online if you are not aware of performing
LFI
You can bruteforce the payloads from here (opens in a new tab) - We are gonna try the manual way, usually the web root directory will be in
/var/www/html
So keeping that in mind and trying,../../../etc/passwd
- We are able to see, that its filtering some
/
and.
- Trying to double it and see, example:
....//....//....//etc/passwd
- We can see
3 dots
are reflected, so removing1 dot
, the final payload,...//...//...//etc/passwd
YAAYYYYYY
but wait, where is the flag, our payload bypassed the filter, but we still need to figure out the number of directories. Thinking, or trying adding on...//
understanding, there is/news
directory, so we need to go back one extra time
- We got the
flag
Paper Chase
- This is similar to the previous one, but with better filters.
REALLY?
LOL!
- Analyzing the
requests
we are able to seefile
parameter, so it could beLocal File Inclusion (LFI)
- Trying the same payload, that we found. We are able to see, when there is
2 dots
it is converting to#
- Trying different approaches, so succeeded
file:
So trying it and extracting the contents
file:///etc/passwd
- We got the
flag
Pizza
- I was the only guy to solve this challenge,
NOT A FLEX
:)
- Registering, and logging in as a new user
- Analyzing the
requests and responses
in burp, we getJWT
- Using
jwt.io
to decode, changing theisAdmin
totrue
and sending thetoken
- But when we submit the cookie, its saying
invalid token
- Trying to crack the
secret
usinghashcat
using jwt.secrets.list
$ hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list**
- Signing using the
secret
key, and changing the cookie
- Adding an item to cart, and opening
cart
- Placing the order
- Entering the information
- We get the order details
- Analyzing the
requests and responses
in burp, we are able to see the token of theorder
- Also while querying the
order status
there is a endpoint going/api/order/SUQ1
- The endpoint
SUQ1
isbase64
encoded
- Modifying the base64 encoding to
ID0
which isSUQw
- Trying to query the order, with the
generated JWT
- We can also change the
cookie token
incookie editor
- We got the
flag