RARO Web Challenges

Entrypoint

Web [200pts]

Description: Sadly it looks like there wasn’t much to see in the python source. We suspect we may be able to login to the site using backup credentials, but we’re not sure where they might be. Encase the password you find in ractf{...} to get the flag.

Looking at the page, we don’t find anything interesting and are given a generic login error upon attempt:

Looking at the page source, we find that there is a /backup.txt file somewhere in the web-app that may possibly give us what we need:

We can’t access /backup.txt, but looking at robots.txt, we see a couple directories of interest:

The admin directories were inaccessible, but I found interesting errors when trying to navigate to /static:

It seems that for the route /static, it is expecting a GET request parameter named ‘f’. So trying /static?f=backup.txt, we see the username and password (flag in this challenge) given to us:

RARO – Baiting

Web [200pts]

Description: That user list had a user called loginToGetFlag. Well, what are you waiting for?

The description is correct. Logging in using the above credentials, develop and developerBackupCode4321 gives us a page listing all users:

Trying to login using loginToGetFlag’ UNION SELECT 1,2,3,4 — gives us an SQLite error:

When trying this payload: ‘and true OR username=’loginToGetFlag’ — , we are able to log in:

RARO – Admin Attack

Web [300pts]

Description: Looks like we managed to get a list of users. That admin user looks particularly interesting, but we don’t have their password. Try and attack the login form and see if you can get anything.

Very similar to the solution above, using the payload: ‘and true OR username=’jimmyTehAdmin’ — , we are able to log in as admin:

I also found that the password field is vulnerable to injection as well, so using ‘loginToGetFlag’ as username and ‘ ” union select 1,2,3,4 –” will allow us to login as admin, it will say Welcome 1, indicating that the first column is the column being rendered to us.

RARO – Vandalism

Web [250pts]

Description: That admin panel was awfully bare. There must be some other page, but we’ve no idea where it is. Just to clarify, ractf{;)} is the greedy admins stealing all the flags, it’s not the actual flag.

For this challenge, when I signed in as admin, looking at the headers using burp suite revealed something interesting:

There is an optional header pointing to a route that is not normally redirected for us. So following that route, we are given a page:

It says that the page has been vandalized, looking at this page in burp suite, we see messed up text that is hidden by CSS:

I grabbed all the vandalized text and used an online text cleaner tool to make it more readable. It turns out it was a generic lorem ipsum with our flag in it:

RARO – Insert witty name

Web [200pts]

Description: Having access to the site’s source would be really useful, but we don’t know how we could get it. All we know is that the site runs python.

This challenge, similar to Entrypoint, involves accessing a page that is not shown to us. A tiny bit of intuitive “guess” work will lead us to the fact that python source is typically named app.py, main.py , etc. We can also use dirsearch on the /static?f= route which will also show us our answer.

Trying out /static?f=main.py gives us our flag:

RARO – Xtremely Memorable Listing

Web [200pts]

Description: We’ve been asked to test a web application, and we suspect there’s a file they used to provide to search engines, but we can’t remember what it used to be called. Can you have a look and see what you can find?

This challenge involves finding a file somewhere on the application. There is no robots.txt and /static?f= does not give us anything. A simple dirsearch will reveal that there is a /sitemap.xml

Visiting this page will point us to download a backup of this sitemap:

Now navigating our page to /_journal.txt, we see our flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s