picoCTF writeups: Web-exploitation writeups
Includes (100 pts)
On the page, Inspect element (Ctrl+Shift+I).
Go to Debugger (Sources on chrome) and check
style.css the flags are in the files half-half.
Inspect HTML (100 pts)
After going to the page, Inspect element.
Under inspector tab, find the flag in a comment.
Local Authority (100 pts)
Looking under Inspector (Elements in chrome) and debugger (Sources) we don’t find anything useful. Let’s try dummy variables. I use admin, admin as username and password respectively.
Now it redirects to the login.php page. On searching through the inspector tab, we find checkPassword() function which invokes my interest. On searching through the debugger panel, I find
secure.js which contained:
From the above figure it is apparent that the username is “admin” as we had guessed and the password is:
Search source (100 pts)
As you can guess from the challenge title, we will need to search through the source code in order to get the flag, much like the previous challenges.
Couldn’t find anything under Inspector (Elements in chrome) so I move on to Debugger (Sources in chrome). On searching through the css and js files I finally find the flag at
Forbidden Paths (200 pts)
So this challenge wants to enter the path of the file we want to view, well only if it’s allowed.. Let’s try to access some critical info like
On searching it directly, I don’t get any hits, I get Not Authorized error. Let’s try append ../ to the path and try again. On using
../../../../etc/passwd , the page returns the passwd file. Yes!!
Even so, I didn’t really get what I had to do next. I searched for files with the word “flag” in the title in the current directory and then did the same for the paths till I reached the “/” directory. Then I got the flag
Power Cookie (200 pts)
In this challenge we have to alter the cookies. If you are using the cookie editor extensions then you can conveniently change the cookie value. Well if aren’t using it, then Inspect the page and head to Storage (Application in case of chrome) and under cookies you shall find the
isAdmin cookie. Change it’s value from 0 to 1.
Roboto Sans (200 pts)
In this challenge we need to find the flag hidden somewhere in the pages. You can download a offline copy of the challenge web pages by using
wget -m http://saturn.picoctf.net:64710/ .
However in this case we didn’t need to analyse files extensively as I found something interesting in the
robots.txt file. It had some base64 encoded lines:
anMvbXlmaWxlLnR4dA== , which translates to
http://saturn.picoctf.net:64710/js/myfile.txt we find out flag:
Secrets (200 points)
In this challenge I couldn’t really find any useful links on my first glance on the webpage, so I thought to inspect the page. On inspecting I find the src of the background image:
Let’s take a peek of the folders. The secret/assets/ returns with a 403 forbidden response, so I try out the secret/ folder. It gives us a clue on that we are on the right path but still a bit far from the 🚩
So, let’s keep trying. On inspecting the page again I find clue to the next destination! Looks like we found a pattern 😎
So, let’s go to the hidden folder. So the overall path shall be secret/hidden/
Let’s inspect the page again. This time we find superhidden folder. Let’s go to secret/hidden/superhidden. Yep, the page says the flag is right here. But we can’t quite see it.. So, let’s inspect again! And we are able to find the flag 🎉
SQL Direct (200 pts)
Let’s first connect with:
psql -h saturn.picoctf.net -p 53768 -U postgres pico & password is:
Now let’s list the
\l+ to list all the databases:
Let’s connect to the database pico:
Now let’s list pico by
\dt . We find
flags table inside. Let’s list out
flags table with
SELECT * FROM flags;
SQLiLite (300 points)
This is another basic question SQL. If you know the basics you can solve it.
Let’s put in random credentials and see what the webpage returns. We get:
SQL query: SELECT * FROM users WHERE name=’admin’ AND password=’admin'
Wow! So we know the query used to return the details from table. Let’s use the following username:
’ or '1'='1' -- a
Now we have logged in!
We see the clue that the flag is on the page so we sweep through the Inspector under Inspect Elements.