Cyber Security Rumble — Germany — CTF Challenge

Challenge : Cyberwall

Task : We had problems with hackers, but now we got a enterprise firewall system build by a leading security company.

Author: rugo|RedRocket

The challenge is to break into the application’s Cyberwall aka login firewall.

Seems like this page requires only a password to login (Note: No username is required to login) from this we can assume that there is no database available in the backend to process the data, so the password must be hard-coded in the source file/other file in the current working directory itself. Now let’s take a look at the login page source code,

Here, we can find a Java-Script code where it checks the password in the source file.

<script type="text/javascript">
function checkPw() {
var pass = document.getElementsByName('passwd')[0].value;
if (pass != "rootpw1337") {
alert("This Password is invalid!");
return false;
}
window.location.replace("management.html");
}
</script>

The Function checkPw() checks whether the input pass word is not equal to “rootpw1337", then it throws an error. So by analyzing this piece of code we just found the password.

By using “rootpw1337” as password we can login to the website’s management.html page.

It took me roughly 3 to 4 mins to bypass the login page. Now I’m struck in the management.html page wondering where the heck is my flag. I started to analyze it’s source code but i couldn’t find any lead. Suddenly, something in the side menu panel got my attention “Debugging”. I clicked on the Debugging button on the side panel and it took me to the debug page where i found that an input field was using ping function,

The ping function is used to ping a host. So i just tried to ping my all time favorite google.com ,

Okay, now it just pinged google.com as we would normally do it in a terminal.

So i just tried to execute multiple commands in the input field like, “google.com; ls” ,

We just verified that it could execute multiple commands by taking a single input. By analyzing the output i just found that it just spitted out the files in the current directory,

requirements.txt
static
super_secret_data.txt
templates
webapp.py
wsgi.py

Here we can see that there is a juicy file called “super_secret_data.txt”. Now we just have to use “cat” command to make the file to spit it’s content out.

Now we just have to feed the input as, “;cat super_secret_data.txt” or “google.com; cat super_secret_data.txt” to make the system to spit out the file contents,

Now the system just spitted out the secret flag hidden inside the file.

PING google.com (66.102.1.113) 56(84) bytes of data.
64 bytes from wb-in-f113.1e100.net (66.102.1.113): icmp_seq=1 ttl=114 time=1.01 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.008/1.008/1.008/0.000 ms
CSR{oh_damnit_should_have_banned_curl_https://news.ycombinator.com/item?id=19507225}

The hidden flag is,

CSR{oh_damnit_should_have_banned_curl_https://news.ycombinator.com/item?id=19507225}

Thanks for reading my blog on “Cyber Security Rumble Germany — CTF Challenge”. See you again later on another interesting blog, Bye.

Challenge Scoreboard :

My User Name : H1v3

My Position : 368 out of 912

--

--

--

I never hear from most of my high school classmates unless their email account gets hacked.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptocurrency automatic trading with Kraken exchange for beginners

How to Detect if a URL is a High-Risk Server Administration Path in Ruby

The malware called PhoneSpy invades the privacy of Android users.

How to prevent losing funds?

How to Stay HIPAA Compliant with Mobile Archiving

{UPDATE} Waffle Food Maker Cooking Game Hack Free Resources Generator

Intro to Merkle Trees, Blockchains, and Scalability on Accumulate

Torrents : 50 shades of legal?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mottikumar

Mottikumar

I never hear from most of my high school classmates unless their email account gets hacked.

More from Medium

Handwritten Digits Recognition

Face Detect, Blur in Live Video using OpenCV and Python

Solving reversing challenges from MalwareTech.com

Blind SQL injection with conditional responses