# Knight CTF Web Writeups

By

godson

●

In

●

Published 2022-01-22

CTF Name : KnightCTF 2022

Category : Web

# Can You Be Admin?

Web Page Looks Like this:

Upon changing the header to KnightSquad

Response: This page refers to knight squad home network. So, Only Knight Squad home network can access this page.

Now, Adding a Header Referer: localhost

Server Responded with a Login Page:

Here, author commented some encoded Stuffs

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])....A Long Encoded String

By Decoding the with JSFUCK Decoder

Again Decode this decoded text with ascii-85

Using this creds and Login

There are some Cookie is tracking us

VXNlcl9UeXBl and Tm9ybWFsX1VzZXI= are Base64 Encoded.

Tm9ybWFsX1VzZXI -> Base64 Decode -> Normal_User

Now, Encode Admin in Base64 and Replace with Normal_User

Flag: KCTF

# My PHP Site

Web Page Looks Like :

In Url, there is a File param, with is vulnerable to to LFI

file=/etc/passwd retuns

As he mentioned, its php site, so, lets View index.php with php wrappers

Payload: php://filter/convert.base64-encode/resource=index.php

Decode this string with Base64

But, the s3crEt_fl49.txt in the web root dir.

Flag: KCTF

# BYPASS! BYPASS! BYPASS!

First Look:

Upon checking the Source Code:

We need to Send a Post Request to /api/request/auth_token endpoint

It returns a auth_token.

upon adding X-Authorized-For: <auth_token> to the request,

Its, Redirects to /admin_dashboard

Flag: KCTF

# Find the Pass Code 2

This is the 2nd Version of a another chal.

First Look:

He had Mentioned already, that ?source will give the Source

Source:

There is something called PHP type juggling.

Loose Comparison and Strict Comparison

Magic String Used : 0e1137126905

Flag: KCTF

# Most Secure Calculator - 2

First Look:

Upon Viewing the Source:

Looks Like, Some Regex is filtering the Inputs

Note: Only Numbers and Symbols are Accepted, Our Input is Passed to eval()

So, We are Going to Encode Our payload into Octal

Here, ( ) ' are allowed, So, we not need to encode these characters

Then, Remove White Spaces and add \ and add " before a ()

So, Our Payload: "\163\171\163\164\145\155"("\143\141\164\40\146\154\141\147\56\164\170\164")

Flag: KCTF