APU Battle Of Hackers CTF 2018 Writeup: Web exploitation level 3
Written by IceM4nn on 16 September 2018
Category : scripting
Title : Web exploitation level 3
Points : 150
I forgot to write down the question. but let me tell ya about the challenge. They give a link to a page. In that page, it shows number of solves and a long simple mathematics equation. It looks something like this:
So, if I send empty data by clicking submit query, nothing will happen except the mathematics equation now changes randomly. Same if I send wrong answer, the number of solves will back to zero not increase any unless I send a correct answer. When correct answer submitted, number of solves increment by one and asks to solve another long random mathematics equation.
If you do this manually by hand (or calculator) it will takes forever to complete this challenge moreover you didn’t know until what number of solves the flag will triggered and you need to watch out not to send wrong answer as this will reset the number of solves back!
I also check if the webpage stores any cookies or running sessions and found that there’s no cookies set and there is a session set in my browser.
By knowing how the webpage works now I know that I need to automated the math problems. So since this in a webpage not in your mathematics exercise book I could write automated script to help my work done quickly.
I choosing to write the script in python. After a few minutes I sucessfully craft my automated script. By running the python script below, I’ll get the flag right away after complete solving 200 math problems. The flag is why_n0t_@ut0m@t3_1t@apuboh2018
It is simple script and I’m happy doing this challenge.
I know how the challenge works and if you would like to test it yourself, I made a PHP backend POC code to test out. Note: this backend code is not the original code from the gameserver. I don’t know what they looks like. But since I know a little PHP I tried to replicate it myself and eventually it works just like in the game and thought want to share it with you.
Copy and paste the code in your web server directory as check.php and index.php and start your webserver. Edit the web address and run the automated script and you get the flag.