Picoctf: logon

27 Aug 2022 - The 2xdropout

A Legacy Blog Post From 2xdropout.xyz

Lately I’ve been slowly working my way through the web exploitation section of PicoCTF. I came across this login CTF by BOBSON and I thought it could be fun to share how I went about finding the flag. I don’t think I found the flag in the intended manner but ¯_(ツ)_/¯ oh well.

If you’re unfamiliar with what a CTF is you’re probably wondering whats a flag and why would I want to find one. Well CTF stands for capture the flag. In digital CTFs the flag that we are trying to get is just a string of text that proves that we completed a given challenge. The flags are often hidden in such a way that you have to utilize math, hacking, and/or programming skills to find them. PicoCTF is a wonderful free site, put together by Carnegie Mellon University, that focuses on cybersecurity CTFs. They break their CTFs into six different categories:

• General Skills
• Cryptography
• Reversing
• Web exploitation
• Forensics
• Binary Exploitation

So our challenge comes from picoCTF 2019 and as can be seen in the above image indicates that, “The factory is hiding things from all of its users. Can you login as Joe and find what they’ve been looking at?” We are then provided with a link to the challenge. It is entirely preference but I am going to choose to spin up my virtual box containing a Kali Linux installation for this CTF.

Now that I have Kali up I am going to launch a tool called ZAP. ZAP is a network tool that functions similarly to Burp Suite, is open source, and was created by the OWASP Foundation. Like with Burp, Zap comes with a web browser that lets us do things like intercept http requests. To start the browser all you need to do is click on the little Firefox symbol in the upper right of the program. Once we have our browser open we can head on over to our target site.

On the target site we encounter a simple login page. If we go down to the bottom right we can turn on our HUD. With our HUD we can see things like possible vulnerabilities that Zap has found on the page, comments (without viewing the source code), hidden elements, etc. Most importantly for us right now, we can turn on intercept mode (second from the top on the left hand side of the screen). With intercept mode on lets see what happens when we try and login.

Here I am attempting to login as Joe with a password of password. We have a few redirects but eventually we end up on a screen that tells us that Joe’s password is super secure.

Since nothing immediately stood out to me. The next thing that I tried was to leave the password and username blank and attempt to login. When we do that we are able to login, just not as Joe and we don’t seem to have the flag either.

Well since we are able to login without a username and password, lets see if there is any way to exploit that. Again I turned on the intercept mode through the HUD and hit sign in. Looking at our first request header I notice something that I think could be useful. We can see that the admin status is saved as a plain text cookie. Maybe if we change this we could make our blank account an administrator and gain access to the flag that way.

So using the request editor via the Zap HUD I changed every requests admin value to equal True. There we go! We have our flag. We may not have gotten Joe’s password but we still left with what we needed! I’ll take it, we don’t always have to do things exactly in the expected way.

Liked what you read? why not check out The 2xdropout's author page? Take me to it!