Guest User

Untitled

a guest
Aug 18th, 2021
61
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On going to the login page, once you check the comments or view the source, you'll see a link to a chat transcript. At the bottom of this transcript is a link to another page, where you're given the source code for the login page (I used uncompyle6 to decompile the pyc file). After seeing that this is an sql injection, you can just put the username as admin'-- and the password as whatever just to get past the login screen. Once in the portal, going to /adminnote shows you that you need to get the boss's login to continue and are given the source for an exploitable feature. Getting the boss login can be done by using the login admin:admin' OR 's'='s to give the complete list of logins in the console. Once in the boss portal, you see /loginbeta and going to that page shows a login page, where you can input a username and password and it'll welcome you (regardless of the password). Once you login once, you get a picture of a cookie, and looking in cookies shows a flask session cookie. Decoding this (I used https://terryvogelsang.tech/MITRECTF2018-my-flask-app/#decode-flask-cookie-datas) shows some json that read xml_base64 with a string that looks like base64. Decoding this twice shows xml filled with the username that were entered just before. In this xml, we also see that isAdmin is set to no, so we can put our username as the payload something</username><isAdmin>yes</isAdmin></data><data><username>something to change the first instance of isAdmin to yes (password is not stored or accessed anywhere). Logging in with this username sets isAdmin to yes and gives the jctf{} flag and a link to /nextstep. (Originally I didn't provide source for this part and I made this writeup before adding source, so with source, you could've just inspected the source to craft a payload and skipped the whole cookie part). After going to /nextstep, you're given specific instructions on how to get the final flag. I used this curl command to get the flag: curl -X POST https://sources-adventure-fortified.max49.repl.co/vault?flag2="ictf\{d3v3l0p3r_t00ls_ar3_gr3at_6c6f6c\}" -H 'X-Robots-Tag: jctf{cl0s1ng_t4gs_4nd_0p3n1ng_t4gs_1n_xml}' -b "flag1=ictf{rsa_was_just_unn3c3ssary}" -A "msmith_is_a_great_username". After accessing the vault, we're given a pastebin link and a hashed password. The hashed password can be easily cracked with https://crackstation.net/ and entering the pastebin shows some RSA (callback to the first sources-adventure), with p, q, and e being the roots of a polynomial. In sage, .roots() can be used to get the roots and you can either do math or use http://web.archive.org/web/20210225213944/https://www.cryptool.org/en/cto/highlights/rsa-step-by-step to get the value of d. Once you get d, you can get the ciphertext and either do the math or use RsaCtfTool to get the flag.
RAW Paste Data