I didn't spend too much time in this CTF. So I wrote writeups about only few problems. ● [ I love browsers ] In this main page, it shows "Hello [user's browser] user" sentence. The two ways that service knows user's website is using Javascript or using "User-agent" header. This service doesn't seem to run by javascript, so I tested by using "User-agent" header. I wrote Safari in it, this service..

90% guessy, 10% challenge. ● [ Choosy ] I found the word "script" is fitered. I could infer this problem is about XSS exploit. payload Flag shellctf{50oom3_P4yL0aDS_aM0ng_Maaa4nnY} ● [ Extractor ] The service is consists of "Register Page" & "Login Page". I try sql injection attack in Login Page. First, I didn't know what kind of sql this service use. So I tried to find sql version. Then..

I skipped write-up super easy problems. WEB ● [ Are you Admin? ] I can't modify "isAdmin" section by fiddler, so I decided to use curl command to fix isAdmin = true. curl -i -H 'Content-Type: application/json' -d '{"username":"derp","isAdmin":true}' 'http://01.linux.challenges.ctf.thefewchosen.com:49395/api/auth' Flag : TFCCTF{S4n1t1z3_Y0ur_1nput5!} ● [ DeepLinks ] Description tells "Find out hi..

Cyberchef 문제 페이지는 위와 같다. const express = require('express'); const bodyParser = require('body-parser'); const { checkRateLimit, checkUrl, visitUrl } = require('./utils'); const app = express(); app.set('view engine', 'ejs'); app.use(bodyParser.urlencoded({ extended: false })); app.get('/', (req, res) => { res.render('index'); }); app.post('/report', (req, res) => { const url = req.bod..

문제 창에 아무것도 없다. 익스플로잇 할 수 있는 요소가 없어 robots.txt부터 확인해봤다. 해당 엔트리 포인트가 존재하는 것을 확인했지만 위와 같이 hostname이 허용되지 않는 것을 확인했다. 터미널 창을 열어 curl의 H옵션인 헤더를 추가하는 방식으로 "Host : 127.0.0.1"을 추가해보자. curl 'https://pimpmyvariant.insomnihack.ch/readme' -H 'Host: 127.0.0.1' 스푸핑을 할 수 있다. 이 방식으로 스푸핑 가능한 페이지는 "/readme" 와 "/new"이다. >> curl 'https://pimpmyvariant.insomnihack.ch/readme' -H 'Host: 127.0.0.1' Re..