Pico CTF- Web exploitation walkthrough #Part-3 (11–20)

11. Don't-use-client-side

Client-side vulnerabilities refer to security weaknesses in web applications that can be exploited by attackers through the user’s browser or client-side code

Steps- start the instance

• Open the inspect element

• Rearrange the jumbled letters to form a word, then refer to the corresponding number and arrange them in numerical order.

12. It is my Birthday

• A vulnerability that allows for file upload is commonly referred to as an “Unrestricted File Upload” vulnerability. This occurs when an application does not properly validate or restrict the types of files that can be uploaded by users, potentially allowing malicious files to be uploaded and executed on the server
• visit the website https://www.mscs.dal.ca/~selinger/md5collision/
• Download the executables (.exe)

• changing the file extension from .exe to .pdf

• uploading both the files on tab
• you will be redirected to the index.php page which has the flag

13. login

• Open the page source
• by clicking on the link “index.js”

(async()=>{
    await new Promise((e=>window.addEventListener("load", e))),
    document.querySelector("form").addEventListener("submit", (e=>{
        e.preventDefault();
        const r = {
            u: "input[name=username]",
            p: "input[name=password]"
        }
          , t = {};
        for (const e in r)
            t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, "");
        return "YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(t.p)}.`)
    }
    ))
}
)();        

• After clicking on “index.js,” you will be redirected to a new tab that will have this code.
• Among that code, only the highlighted string is needed as it is encoded in base64 format.

• Use https://www.base64decode.org/ for decoding the string

14. On Includes

• Open Inspect Element, go to Sources, and then open “style.css.” The first part of the flag can be found there.

• then open “script.css.” The Second part of the flag can be found there.

15. Inspect HTML

HTML page vulnerabilities work by exposing sensitive information within the page’s source code, which can be accessed through Inspect Element. This information, such as hidden form fields, comments, or scripts, can be easily viewed and exploited by attackers.

• Open the “page source” to get the flag.

16. Local Authority

In web exploitation, a vulnerability where a password is present in the source page means that sensitive information, like passwords or access tokens, is directly visible in the source code of a web application’s webpage. This visibility poses a significant security risk because anyone who can access the source code can see these sensitive details.

• Open “page source” > click on “secure.js”

• The credentials displayed here are for the admin login, which can easily be manipulated to bypass the login.

17. Search source

The vulnerability in the style.css file arises when it contains sensitive information that should not be publicly accessible. This could include credentials (like usernames and passwords) or security tokens (such as API keys or access tokens) that are crucial for authenticating and authorizing access to protected resources.

• open the inspect element
• open the CSS folder > “style.css” contains the flag

18. find me

This vulnerability occurs when a web application exposes internal objects or resources (such as files, directories, or database records) without proper authentication or authorization checks. It allows attackers to manipulate parameters or request types to access unauthorized data or functionalities.

• Capture the request in “Burpsuite ”

• After I pressed forward, I noticed an interesting string that appears to be base64 encoded. Here’s the string:

GET /next-page/id=cGljb0NURntwcm94aWVzX2Fs        

• When I tried again to move forward, I encountered another interesting string, this time a base64-encoded one: GET /next-page/id=bF90aGVfd2F5X2RmNDRjOTRjfQ== I put those strings together and then proceeded to use CyberChef to decode it from base64 to plain text.
• After decoding flag will be displayed.

cGljb0NURntwcm94aWVzX2FsbF90aGVfd2F5X2RmNDRjOTRjf        

19. MatchTheRegex

This vulnerability occurs when a web application fails to properly validate and authorize user access to internal objects or resources. In your case, the URL manipulation allows direct access to a sensitive resource (the flag) without appropriate authentication or authorization.

By appending “/flag” to the URL, an attacker can exploit this vulnerability to bypass any access controls or restrictions that should prevent unauthorized users from accessing the flag.

Exploiting an IDOR vulnerability can lead to unauthorized access to sensitive data or functionalities within the application, potentially exposing confidential information or compromising system security.

• open the “page source”
• adding “/flag” after the URL

20. Unminify

• Open the “page source ”
• Using Line wrap (in Chrome) you can esily find the flag.