For this CTF, there were four web challenges which were fairly easy and the overall CTF was fun.
Challenge 1 - Web 50 Evaluation
Evaluate your life. How are you doing, and are you doing the best you can possibly do? Look deeper within yourself, beyond the obvious. Look at the source of it all.
This challenge took us to a page revealing following source code:
Pretty much evident that we need to pass a
GET parameter which was
hello. Since whatever input we are giving is going to get evaluated and we know that the flag is inside
cat flag.php | grep sun -ni
gave the flag.
Final payload: http://evaluation.web1.sunshinectf.org/?hello=
Challenge 2 - Web 100 Marceau
Hey my friend tells me that the flag is in this site's source code. Idk how to read that though, lol (ðŸ…±ï¸retty lame tbh ðŸ˜‚)
We were greeted with the following text in the challenge page which was in between
You specifically want my PHP source. Why did you accept anything else?
Apart from this, by the time I started playing the CTF, there was a hint already provided which made it pretty easy where the hint was:
Hint 2018-04-06 00:20 UTC: There are many different types of MIMEs, but only a handful were truly legendary...
Intercepting with burp and modifying
text/php reveals the flag. For this, a quick googling of
PHP MIME types gave the further insight.
Challenge 3 - Web 150 Home Sweet Home
Looks like this site is doing some IP filtering. That's very FORWARD thinking of them.
Well, description itself says that we need to use
X-Forwarded-For and that was it for the challenge.
The challenge page is greeted with
220.127.116.11 This IP address is not authorized.
Intercepting the request and adding
X-Forwarded-For:127.0.0.1 gives us the flag.
Challenge 4 - Web 250 SearchBar
This search engine doesn't look very secure.
Or well coded.
Or competent in any way shape or form.
This should be easy.
Note: flag is in /etc/flag.txt
We were greeted with a page wherein
https://www.google.com was filled and also a submit button. Clicking on the submit button takes a to a page where it is shown as fetching the source code. Okay, now since our aim was to read the
flag from the location we know, I tried fuzzing through the search bar and found that
www.google.com was necessary and also they were using
parse_url. I had recently read a blog regarding the same.
I then used another scheme which was
file:// but then using
/ soon after being used for scheme was also blocked. And hence, a simple payload
http://search-box.web1.sunshinectf.org/?submit=Submit&site=file://www.google.com/etc/flag.txt# gave the flag.