Web 100: Abitol This is a simple web app where you can register and login to see an articles page, a photo gallery, a flag page and an admin contact page. Visiting the flag page give us a Nice try, did you really think it would be that easy? ;) but the photo gallery is vulnerable to XSS: http://abitbol.nuitduhack.com/zoom.php?image=1%3E%3Cscript%3Ealert%281%29%3C/script%3E Now, we dont know how the admin contact will be visualized in the viewer page, but we can try to send him a message with an iframe pointing to the vulnerable page so we can send his session ID to our cookie catcher or use XHR to request the flag.
We didnt have time to finish this task during the game since we decided to finish Freestyle 400 (scored in the last minute) but as I foound out later, we were close to finish it. In this level we were presented with a login form vulnerable to user enumeration. It was easy to see that admin was a valid user but we could not guess the password. After trying with other “normal” accounts like guest, dev and so on, we found that debug was a valid account and the password was debug.
I had the honour to participate with int3pids in the #Olympic CTF and these are the write ups of the Web tasks we solved. CURLing 200: Xnginx In this level we were presented with a simple web site where we could check some news First thing to notice is that the news URL is vulnerable to path transversal: http://18.104.22.168:27280/news/?f=31-12-2013 http://22.214.171.124:27280/news/?f=../../../../../etc/passwd Since the name of the task was xnginx I looked for the nginx configuration file:
In this [level]() we were presented with an online shop: The task name was “AngryBird” and this was very relevant to solve the challange! It actually comes down to two parts: Finding a hidden admin area Exploiting a blind SQLi to get credentials Finding the hidden admin area We were given the following description: Some web-developers still host their sites on Windows platform, and think that it is secure enough