dev-resources.site
for different kinds of informations.
CTF Writeup — Hackme CTF
Hi All,
This time I want to present you CTF without time pressure — you can play it as long, as you want. 🎉
Referring to the Wayback Machine, it looks that first edition of this CTF was released on 2014. Now is 2023 so almost 10y later and it is still alive, so cool!
Captured flags — HackmeCTF, source: https://ctf.uw-team.org/
Text there is not written in English, but it’s not an issue for us — we can use many tools to translate the content (our goal is focused on the flags!).
Visiting the site https://ctf.uw-team.org/ we can get to know that flags are with FLG-XXXXXX format, and… flags can be everywhere! This should be enough for us. Uh, yeah, one more thing, the rules — please notice info that automated scanners are forbidden.
At first, visit mentioned before site of HackmeCTF: https://ctf.uw-team.org
We don’t need to register in, etc. It’s quite convenient in my opinion.
Please keep in mind that thanks to writeups many things looks obvious, but the best fun is just be a participant, so I encourage you to take a part!
There can be different ways to get the same flag in some cases. 🍀
This writeup will be more focused on the final results, on showing ‘winning ways’, because of respect your time — many flags to discuss here.
There are usually many lines of thought when solving — in short, you often don’t know at the beginning how you will ultimately get a specific flag. 🚩
[FLAG-1] Source code (warm-up)
Checking source code during CTF is mostly not a bad idea. Let’s check it!
CTRL+U -> CTRL+F: “FLG-”. Result:
Flag 1 — Source code — HackmeCTF
[FLAG-2] Cookies
Author/s said that can be everywhere, right? Let’s check the cookies.
F12 -> Application. Result:
[FLAG-3] HEXView
Below our form which is used for sending a captured flags, there is some possible interesting image “TOP SECRET”. Let’s take a look closer there.
RMB -> Open in new tab: https://ctf.uw-team.org/zerknij.gif
Hm, interesting. Why it’s with .gif format? What means the file name?
Meaning is “take a look”, OK. Some kind of a tip.
Download this file. Use some image viewer/editor, ie.: IrfanView.
Select ‘View’ tab from Menu -> ‘Show HEX view’. Result:
[FLAG-4] Robots.txt
Let’s check what we will get if type something like https://ctf.uw-team.org/flag Oh, 404 error site — “Not Found”, roger that.
So, let’s check robots.txt file. Result:
Flag 4 — robots.txt — HackmeCTF
[FLAG-5] Directory listing
Let’s play again with DevTools — quite useful tool, isn’t it?
F12 -> Sources tab -> images -> select some image -> RMB -> Open in new tab. For example: https://ctf.uw-team.org/images/body_bg.png OK, cool, body background:D Let’s check /images, so remove filename with extension — go to https://ctf.uw-team.org/images/ Some ‘unknown’ .txt file, we have to check it! Result:
Flag 5 — Directory listing — HackmeCTF
[FLAG-6] Admin
Wait a second, do you remember cookies table? Let’s back there for a while.
We are not logged in (even registered:D), why there is ‘admin’ cookie with value ‘0’? Let’s change this to value ‘1’. Refresh. Result:
Flag 6 — Admin cookie — HackmeCTF
[FLAG-7] XSS — Cross-site scripting
Quite funny moment from my point of view now. Already collected at least few flags, right? One of the golden rule is “Never trust user’s input”.
Enter XSS payload alert() to captured flags’ input. Result:
[FLAG-8] Base64
A lot of fun. It’s time to use some of site tab. On the page https://ctf.uw-team.org/?page=kodowanie we can see:
2023–11–12 00:33 — RkxHLUJBU0U2NA==
2023–11–11 23:16 — dGVzdHVqZQ==
2023–11–10 22:33 — cmF6LCBkd2E=
It looks like Base64. Let’s check the content. DevTools -> Console -> use atob() function, so -> atob(‘RkxHLUJBU0U2NA==’). Result:
[FLAG-9] Parameter page=
Link for previous task was https://ctf.uw-team.org/?page=kodowanie
Check site behaviour for other parameter ‘?page=’ value, type at start ‘?page=qwe’. Result:
Flag 9 — param ?page= — HackmeCTF
[FLAG-10] CSS — 404err
Using DevTools, visit Sources tab -> style.css Result:
Flag 10 — CSS and 404err — HackmeCTF
[FLAG-11] Response header
Have you previously checked Network tab? Not yet? Good time is now!
DevTools -> Network tab -> refresh main site -> check Response Headers
Result:
Flag 11 — Response header — HackmeCTF
[FLAG-12] SQLi — SQLite Injection
Payload:
' or 1=1 -- true
So, finally: https://ctf.uw-team.org/?page=newsy&kod=%27%20or%201=1%20--%20true
Result:
Last flag is for you, please share your solutions! Tip: it is connected with ‘Redirection’ challenge.
I hope you enjoy! 🍀
Sources — HackmeCTF: https://ctf.uw-team.org/
Note: Originally published on Medium
Best wishes,
Featured ones: