BSidesSF 2021 CTF: Higher Hurdles

Higher Hurdles

101 points

Last year, we made you jump over some web hurdles. I hope you’re ready to stretch your legs even further.

https://higher-hurdles-74a23189.challenges.bsidessf.net

(author: matir)

Solution

Scroll down if you are not interested in long, step by step journey.

curl https://higher-hurdles-74a23189.challenges.bsidessf.net/
You'll be rewarded with a flag if you can make it over some /hurdles.
curl https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles
I'm sorry, I was expecting the PUT Method.
curl -X PUT https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles
I'm sorry, Your path would be more exciting if it ended in !!
curl -X PUT 'https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles/!!'
I'm sorry, Your URL did not ask to `retrieve` the `flag` in its query string.
curl -X PUT 'https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag'
I'm sorry, I was looking for a parameter named &=&=&
curl -X PUT 'https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=something'
I'm sorry, I expected '&=&=&' to equal '%00
'
curl -X PUT 'https://higher-hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A'
I'm sorry, Basically, I was expecting the username username.
curl -X PUT 'https://[email protected]/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A'
I'm sorry, Basically, I was expecting the password to be the hex representation of the sha3-224 of the author of this challenge.
echo -n matir | openssl dgst -sha3-224
(stdin)= 4ef03423738a4aa7956528feebbc65474c053f5937032dfb9219af62
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A'
I'm sorry, I was expecting you to be using a 1337 Browser.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337'
I'm sorry, I was expecting your browser version (v.XXXX) to be over 9000!
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999'
I'm sorry, I was expecting this to be forwarded through 127.1.1.1
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 1.1.1.1, 127.1.1.1'
I'm sorry, I was expecting this to be forwarded through 10.5.4.3
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 1.1.1.1, 10.5.4.3, 127.1.1.1'
I'm sorry, I was expecting this to be forwarded through 19.18.0.1
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 1.1.1.1, 19.18.0.1, 10.5.4.3, 127.1.1.1'
I'm sorry, I was expecting the forwarding client to be 13.37.37.13
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1'
I'm sorry, I was expecting a Fortune Cookie
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=""'
I'm sorry, I was expecting the cookie to contain the number of the HTTP Cookie (State Management Mechanism) RFC from 2011.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265'
I'm sorry, I expect you to accept only plain text media (MIME) type.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;'
I'm sorry, Ich hatte erwartet, dass Sie Deutsch akzeptieren.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de'
I'm sorry, I was expecting to share resources with the origin https://ctf.bsidessf.net
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net'
I'm sorry, I was expecting you would be refered by: https://ctf.bsidessf.net/challenges
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net' -H 'Referer: https://ctf.bsidessf.net/challenges'
I'm sorry, Surely you'd like to express your opinion on tracking on the web as a header?
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net' -H 'Referer: https://ctf.bsidessf.net/challenges' -H 'DNT: 1'
I'm sorry, I expected fetch metadata from the same site or origin.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net' -H 'Referer: https://ctf.bsidessf.net/challenges' -H 'DNT: 1' -H 'Sec-Fetch-Site: same-site'
I'm sorry, I expected the mode of this fetch to be a navigate.
curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net' -H 'Referer: https://ctf.bsidessf.net/challenges' -H 'DNT: 1' -H 'Sec-Fetch-Site: same-site' -H 'Sec-Fetch-Mode: navigate'
I'm sorry, I expected this fetch to be user activated.

And finally…

curl -X PUT 'https://username:[email protected]hurdles-74a23189.challenges.bsidessf.net/hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A' -vvvvv -H 'user-agent: 1337 Browser v.9999' -H 'X-Forwarded-For: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1' -H 'Cookie: Fortune=6265' -H 'Accept: text/plain;' -H 'Accept-Language: de' -H 'Origin: https://ctf.bsidessf.net' -H 'Referer: https://ctf.bsidessf.net/challenges' -H 'DNT: 1' -H 'Sec-Fetch-Site: same-site' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-User: ?1'
*   Trying 34.107.231.69:443...
* Connected to higher-hurdles-74a23189.challenges.bsidessf.net (34.107.231.69) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.challenges.bsidessf.net
*  start date: Feb 28 18:34:18 2021 GMT
*  expire date: May 29 18:34:18 2021 GMT
*  subjectAltName: host "higher-hurdles-74a23189.challenges.bsidessf.net" matched cert's "*.challenges.bsidessf.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'username'
* Using Stream ID: 1 (easy handle 0x55f9725a1560)
> PUT /hurdles/!!?retrieve=flag&%26%3D%26%3D%26=%2500%0A HTTP/2
> Host: higher-hurdles-74a23189.challenges.bsidessf.net
> authorization: Basic dXNlcm5hbWU6NGVmMDM0MjM3MzhhNGFhNzk1NjUyOGZlZWJiYzY1NDc0YzA1M2Y1OTM3MDMyZGZiOTIxOWFmNjI=
> user-agent: 1337 Browser v.9999
> x-forwarded-for: 13.37.37.13, 19.18.0.1, 10.5.4.3, 127.1.1.1
> cookie: Fortune=6265
> accept: text/plain;
> accept-language: de
> origin: https://ctf.bsidessf.net
> referer: https://ctf.bsidessf.net/challenges
> dnt: 1
> sec-fetch-site: same-site
> sec-fetch-mode: navigate
> sec-fetch-user: ?1
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< x-ctf-flag: CTF{good_work_on_hurdling_past_2020}
< date: Fri, 12 Mar 2021 15:14:48 GMT
< content-length: 16
< content-type: text/plain; charset=utf-8
< via: 1.1 google
< alt-svc: clear
< 
* Connection #0 to host higher-hurdles-74a23189.challenges.bsidessf.net left intact
Congratulations!

Flag

CTF{good_work_on_hurdling_past_2020}

Privacy Policy
luc © 2021