web

Maybe using Inspect Element will help you! Small hint: If you’re struggling with reproducing it on remote, you can use socat to proxy the remote instance to localhost:1337 like this: socat TCP-LISTEN:1337,fork OPENSSL:xxx--xxx-1234.ctf.kitctf.de:443 and it should behave exactly like a locally running docker container. Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{D4NG3R0U5_D3BUGG3R} Writeup In this challenge, all we get is a Dockerfile. Given what the other web challenges looked like, this is quite strange....

I heard you like flags, so I launched Chrome with a lot of flags again so you can get your flag! This time the flag is localhost:1337/flag, and the bot will visit your URL! Category: Web Solver: lukasrad02, Liekedaeler Flag: GPNCTF{WHY_D0_50M3_0F_TH353_FL4G5_3V3N_3X15T} Scenario As the name of the challenge suggests, this challenge is a follow-up on So many flags, so it might make sense to read the writeup for that challenge first....

All my friends warned me about xss, so I created this note taking app that only accepts “refined” Notes. Category: Web Solver: lukasrad02, aes Flag: GPNCTF{3nc0d1ng_1s_th3_r00t_0f_4ll_3v1l} Scenario This challenge features a minimalistic note-taking app. We can enter a note into a text box, click a button to save it and it becomes available under an URL with the UUID of the note. There is no source code provided for the challenge, so we can only take a look at the sources delivered to our browser....

These XSS vectors are getting ridiculous! So I made a secure note app. The only NPM dependency is DOMPurify, and I directly store the output of DOMPurify.sanitize and serve that back, so it has to be secure, right? It’s barely 16 LoC! Category: Web Solver: aes, lukasrad02 Flag: GPNCTF{UN1C0D3_15_4_N34T_4TT4CK_V3CT0R} Writeup As the challenge description suggests, the code for this challenge is indeed pretty compact. Thus, we can even take a look at it here in this writeup:...

I removed the flag :P Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{1_L0V3_L3G4CY_F34TUR3S} Writeup This challenge — like a few other web challenges in this CTF — is a nodeJS- and express-based web application. It has four routes that we should examine further. First off, there are the / and /removeFlag.js HTTP GET routes. These only serve static strings but their responses will become important later. There also is an admin bot that can be triggered via the /admin POST route....

todo Category: Web Solver: lukasrad02 Flag: GPNCTF{1_4M_50_C0NFU53D_R1GHT_N0W} Scenario The challenge consists of a web application powered by a single PHP script that receives data from the HTTP POST parameter data and then does a couple of things: The string from the data parameter is parsed as JSON and stored as $user_input. The user agent of the request is compared against the string "friendlyHuman" and requests with any other user agent are aborted....

I heard you like flags, so I launched Chrome with a lot of flags so you can get your flag! The flag is in /flag.txt, and the bot will visit the HTML file you uploaded! Category: web Solver: aes, lukasrad02, Liekedaeler Flag: GPNCTF{CL1_FL4G5_4R3_FL4G5_T00} Writeup This challege allows us as the attacker to upload an HTML file to the server. The description already tells us that the server will visit the file we upload and that the flag is located at /flag....

I made a JS API! Sadly I had no time to finish it :( Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{N0_C0MM3NT_b7c62b1e} Writeup We are given the source code of a Node.JS web application. Looking around, we see that the source code consists of a server.js file that runs on the server and a script.js file that is served to the client by the server. Taking a closer look at the server code, we find four HTTP routes that are defined....

I made a JS API! Sadly I had no time to finish it :( But I had time to make it harder! Category: web Solver: aes, rgw, lukasrad02 Flag: GPNCTF{TH4T_W45_D3F1N1T3LY_N0T_4N_0V3RS1GHT} Writeup This challenge is extremely similar to the todo challenge in this CTF. To be exact, the two challenges are only different by two lines, precisely the following in the server.js file: // NEW: run JS to replace the flag with "nope" await page....

Old software, good software: Clone and pwn: https://github.com/FirebaseExtended/firepad Category: Web Solver: 3mb0, mp455 Flag: GPNCTF{fun_w1th_0p3n_s0urc3} Scenario The challenge links to the open source software FirePad which is a Collaborative Text Editor Powered by Firebase. Additionally, the challenge provides a simple HTTP instance with the text No admin running at the moment. Start (120s timeout) and the Start link. The link redirects to an intermediate page Your pad link: admin starting up, check back in a moment and after refreshing provides a link to a pad on the public firepad demo site Your pad link: https://demo....

My friend makes ymmuy faleval, but sometimes he mixes up things… but what can you do? Author: @gehaxelt Category: Web Solver: lukasrad02, aes Flag: ENO{YummY_YummY_Falafel_Expl01tz} Scenario Similar to the other web challenges of this CTF, the challenge consists of a single PHP file. When visiting the web site, we can access the PHP source code via a link. Stripping things like the link to the source code, we are left with the following code:...

You’ve found a portal for a firmware upgrade service, responsible for the deployment and maintenance of rogue androids hunting humans outside the tractor city. The question is… what are you going to do about it? Category: Web Solver: rgw, nh1729, n1k0 Flag: HTB{i_slipped_my_way_to_rce} Writeup In this web challenge, we get a docker template of a flask web server. The user can upload .tar.gz archives which are extracted into a temporary directory on the server....

Meet SteamCoin, the first decentralized cryptocurrency of the SteamPunk realm that provides you the liberty to exchange value without intermediaries and translates to greater control of funds and lower fees. Sign up today in our SteamCoin wallet to get equipped with the tools and information you need to buy, sell, trade, invest, and spend SteamCoins. Category: Web Solver: nh1729, n1k0, t0b1 Flag: HTB{w3_d0_4_l1ttl3_c0uch_d0wnl04d1ng} Writeup The challenge consists of a Node....

The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so? Category: web Solver: davex, shm0sby Flag: HTB{b3nt_tw1g_t0_my_will!} Writeup The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;) The challenge used Symfony as application framework and Twig as templating engine. We simply had to use basic injection on Twig which could be found in [1]....

Just some not so regular disable_functions / open_basedir PHPfu. Category: web Solver: davex, shm0sby, lmarschk Flag: HTB{iconv_r34lly_b3_d01ng_us_lik3_th4t} Writeup The challenge php file was quite simple itself, it was a Docker container with some further configs. The configs were the more interesting thing. The php file only included an GET-parameter which then has been sent to an eval()-call. Also we know there is a file called /readflag which obviously prints the flag....

Who let the blacklists out? Category: web Solver: davex, shm0sby Flag: HTB{wh0_l3t_th3_w4fs_0ut?!..w00f..w00f.w00f!} Writeup When you entered the site of the challenge the site directly gives you the source of the challenge. <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) ....

I made a service for people to cache their favourite websites, come and check it out! But don’t try anything funny, after a recent incident we implemented military grade IP based restrictions to keep the hackers at bay… Category: web Solver: davex, lmarschk Writeup The first look at the challenge already gave an intuition how the solution looks like. The title of the web page was Rebind Me. This hints that the solution might be a DNS Rebind attack....

A classmate was assigned with developing a website using a prototype-based language called Javascript. Now we have Gunship, a tribute page to the legendary synthwave band.. what could possibly go wrong? Solver: davex Category: web Walktthrough The first look at the challenge already hinted at a part of the solution. The title of the challenge webpage is This hints that AST injections will be part of this challenge. Furthermore, the first look into the sourcecode of the challenge gave a huge hint for the solution...