Web
Last updated
Last updated
For this "warm up" challenge, I didn't manage to solve in time but then I found a solution to the part I was stuck on quite a while after the competition ended.
First, the challenge ask for correct password to get the flag. Try to sql injection but no luck. Review the source code stumble into script.min.js
, which I review the code has been obfuscate.
Try to deobfuscate using obf-io.deobfuscate.io and got the interesting part which give the api endpoint to get the flag.
Unfortunately going to the endpoint still not get the flag. Try to look at the view page source for the comment that it asks for does not show it as well. So at this point, I think need to do php wrapper to read the whole source code which not visible on the web page.
I test the parameter x
for lfi vulnerability before I do the php wrapper. To test that, I try to retreive /etc/passwd
which its return what I was looking for.
Since the x
parameter is vulnerable to lfi, I use this payload php://filter/convert.base64-encode/resource=flag_for_warmup.php
to retrieve the source code but result in web page try to filter certain string, with the following respond did you just mention "convert"?? i'm quitting now
. After modifying the payload, I use this php://filter/zlib.deflate/resource=flag_for_warmup.php
, and it respond with compress data which I do not understand...
After this part I am stuck for quite a while until the ctf end. I try to find everything to decompress the data but no luck for me hm. But it is normal in ctf to get frustrated and found the solution later after the end of the ctf. And today, I discovered that cyberchef can inflate the data using the raw inflate
, which I can finally found the comment flag!
Flag: wgmy{1ca200caa85d3a8dcec7d660e7361f79}