Under Inspection (100 pts)
WAS my flag? Part I (250 pts) no soln
Leaky Logs (300 pts) no soln
Looking Inwards (300 pts) no soln
Yummy Vegetables (300 pts) no soln
Custom Blog (350 pts) no soln
Web Inspection (375 pts) no soln
Look, if you had one shot (400 pts) no soln
WAS my flag? Part II (475 pts) no soln
Someone made this site for the Autobots to chat with each other. Seems like the Decepticons have found the site too and made accounts.
One of the Autobot accounts has a flag that they're trying to keep hidden from the Decepticons, can you figure out which account it is and steal it?
Looking into the site, we see that the login page has javascript to verify the login credentials.
function loginSubmission() {
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
var result = document.getElementById("result");
var accounts = [
{user: "Admin", pwd: "MetaCTF{super_secure_password}"},
{user: "Bumblebee", pwd: "MetaCTF{sting_like_a_bee}"},
{user: "Starscream", pwd: "MetaCTF{the_best_leader_of_the_decepticons}"},
{user: "Jazz", pwd: "MetaCTF{do_it_with_style_or_dont_do_it_at_all}"},
{user: "Megatron", pwd: "MetaCTF{peace_through_tyranny}"},
];
for(var a in accounts) {
if(accounts[a].user == username && accounts[a].pwd == password) {
if(username == "Jazz") {
result.innerHTML = "Welcome, Jazz. The flag is " + password;
} else {
result.innerHTML = "Welcome, " + username + ".";
}
return false;
}
}
result.innerHTML = "Login Failed. Please try again";
return false;
}
Judging from if(username == "Jazz") {
I assume that the correct user is Jazz
, we can easily get the corresponding password.
My coworkers have been raving about this slick new flag generation tool, but I'm struggling to figure out how to use it. Can you help me find a flag that will satisfy the algorithms?
Business, INC, the world's premier widget manufacturer, just released their fancy new dashboard, using all the hottest new web technologies from 2010.
This account doesn't seem to have a ton of access. Sucks.
Can you access the flag at
/flag.txt
?
It's always fun to take a moment of introspection, in this case not about oneself, but about our field (development/security). For example when it comes to API design, first there were SOAP endpoints primarily based on XML. Then as Web 2.0 came along, RESTful APIs became all the rage. Recently, technologies like GraphQL began to gain traction.
With new technologies, though, come new classes of attacks. Check out this basic GraphQL API server. To get you started, here's one cool thing it can do: If you send it a
query
in the form ofecho(message: "message_here")
, it will respond with what you said. Can you get it to give you the flag?
I love me my vegetables, but I can never remember what color they are! I know lots of people have this problem, so I made a site to help.
Here's some sauce to go with the vegetables: index.js
This guy wrote his own blog in PHP instead of, I dunno, literally anything else. Can you teach him a lesson?
The server is running php 7.4.26. If you're running locally, use Docker
php@sha256:920a88344203adf78471ca898773f0e0ac171fb4a3be4ba2d4f9585163aaf038
Note: You won't be able to read the flag directly. If the flag appears to be empty, try a different strategy.
We've deployed a fairly simple program that can take input and display its hash in a number of different formats. It's available on both Windows and Linux.
Get down in the weeds and see if you can understand how it works. You may want go beyond static analysis on this one. Try connecting it to a debugger (using default debugger settings!) and watch what requests it makes - I bet there'll be a flag waiting.
Or one opportunity. To guess one mfa code on the website. In one moment. Could you hack it? Or just let it slip?
During a penetration test of Generally Quirky Labs' online websites, you stumbled across their company employee portal. After some recent brute force attacks, the security team got tired of watching hackers knock on the door all day long. So they implemented both MFA and Captcha codes, using some of the latest technologies. Unfortunately for them, they were not aware of one of the technologies' features...Note: DOSing the website by sending web requests is not the way.
Username:
[email protected]
Password:
yHfm34P9@v!Ge6
The last flag generation tool was a smash hit. We ended up shelling out the big bucks for the deluxe edition. Can you get this one working too?