#
Knight CTF Web Writeups
CTF Name : KnightCTF 2022
Category : Web
#
Can You Be Admin?
- Web Page Looks Like this:
- Upon changing the header to
KnightSquad
Response: This page refers to knight squad home network. So, Only Knight Squad home network can access this page.
Now, Adding a Header Referer: localhost
Server Responded with a Login Page:
Here, author commented some encoded Stuffs
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])....A Long Encoded String
By Decoding the with JSFUCK Decoder
Again Decode this decoded text with ascii-85
Using this creds and Login
There are some Cookie is tracking us
VXNlcl9UeXBl
and Tm9ybWFsX1VzZXI=
are Base64 Encoded.
Tm9ybWFsX1VzZXI
-> Base64 Decode -> Normal_User
Now, Encode Admin in Base64 and Replace with Normal_User
Flag: KCTF
#
My PHP Site
Web Page Looks Like :
In Url, there is a File param, with is vulnerable to to LFI
file=/etc/passwd
retuns
As he mentioned, its php site, so, lets View index.php with php wrappers
Payload: php://filter/convert.base64-encode/resource=index.php
Decode this string with Base64
But, the s3crEt_fl49.txt
in the web root dir.
Flag: KCTF
#
BYPASS! BYPASS! BYPASS!
First Look:
Upon checking the Source Code:
We need to Send a Post Request to /api/request/auth_token
endpoint
It returns a auth_token.
upon adding X-Authorized-For: <auth_token>
to the request,
Its, Redirects to /admin_dashboard
Flag: KCTF
#
Find the Pass Code 2
This is the 2nd Version of a another chal.
First Look:
He had Mentioned already, that ?source
will give the Source
Source:
There is something called PHP type juggling.
Loose Comparison
and Strict Comparison
Magic String Used : 0e1137126905
Flag: KCTF
#
Most Secure Calculator - 2
First Look:
Upon Viewing the Source:
Looks Like, Some Regex is filtering the Inputs
Note: Only Numbers and Symbols are Accepted
, Our Input is Passed to eval()
So, We are Going to Encode Our payload into Octal
Here, ( ) '
are allowed, So, we not need to encode these characters
Then, Remove White Spaces and add \
and add "
before a ()
So, Our Payload: "\163\171\163\164\145\155"("\143\141\164\40\146\154\141\147\56\164\170\164")
Flag: KCTF