Introduction One of your friends had an argument with a Flask developer. He tried to handle it on his own, but he ended up hitting a roadblock… Can you put your hacking skills to use and help him out? You should probably be able to access the server hosting your target’s latest project, right? I heard they make a lot of programming mistakes… Solution When we launch the challenge, we arrive at an error page that says:...
Introduction Context Explanation Craphp is a web-based CTF challenge where the user is presented with an interface asking for a password to retrieve a flag. The challenge also provides access to the server’s source code (index.php), which we leveraged to analyze the vulnerabilities and design a strategy for exploitation. The critical insight in solving this challenge lies in understanding and exploiting weaknesses in the use of CRC (Cyclic Redundancy Check) hash algorithms within the authentication logic....
Introduction This challenge is a WEB challenge from the PWNME CTF. Context Explanation A company needs a website to generate a QR Code. They asked a freelancer to do the job. Since the website went live, they noticed strange behavior on their server. They need you to audit their code and help them fix their problem. Directive The flag is located in /app/flag.txt Solution The web application to test is a blog that allows you to create articles and display them....
Introduction Try to access the content of the admin user’s secret note. Solution The challenge is a blog with authentication. On the homepage, we can see several posts from different users, and in the header, it says A community of 8 authors. By clicking on the name of one user, for example, lolo, who is the author of the first article, we are taken to the user’s profile page. Non-essential note for exploiting the challenge: After launching multiple instances, I realized that the 8 users are always the same: admin, bob, alice, and 5 other random users (lolo, tata, toto, …)....
Introduction Log in to the admin account and retrieve the flag. Prerequisites Completed the challenge Blogodogo #1 The referral token 83d99a0ac225079db31b44a2e58b19f0 to create an account. Solution After successfully completing the previous challenge, Blogodogo #1, we obtain a referral code that allows us to create an account. This allows us to create an account with the credentials test:test. In the challenge sources, there is a directory called /bot which simulates an administrator’s connection and clicks on a link passed as a parameter:...