ITI CTF 2023 Round 1 - Web Challenges

Anas Ibrahim
4 min readSep 9, 2023

--

ITI

Hi everyone, I’m a web pentester, and I occasionally participate in CTFs. Recently, I took part in the ITI 2023 bootcamp, which was launched this year with sponsorship from Cybertalents. They were responsible for creating CTF challenges, and it was a simple CTF included a total of 10 challenges, two of which were web security challenges. I managed to solve them, so let me explain the scenario.

SuperAdmin (Easy — 50 Point)

This challenge was an easy one, featuring a simple shop page with no real functions to test. I viewed the page source but found nothing of significance.

SuperAdmin

So, while fuzzing directories, I also found nothing. Then, I intercepted the request and noticed that there was a cookie header provided with a name called Authand the value was dXNlcg%3D%3D, which was URL-encoded and base64-encoded.

Request

After decoding it using URL decoding, the value became dXNlcg==, and further decoding it with base64 revealed the value user. So, I attempted to become an admin by changing the value to admin, encoding it as base64 and URL WYRtaW4%3D, and successfully obtained the flag.

The flag.

The flag was flag{H0l4_4dm1n!}

The Isle of Blue Mist (Medium — 100 Point)

I noticed from its description that there was a spell function, and it takes a string from the user.

description

When I opened the challenge, I found a simple HTML/CSS page with a button has spell function called Start Your Quest

During my testing on the spell page, I observed a POST parameter called spell. When I entered a word, it was encoded as UTF-8. However, when I entered a command like whoami, an error message was returned stating, Your Spell wasn’t right =(.

Spell function

Then, I viewed the page source and discovered a commented parameter with its value ?magic_source=a. I initially thought it belonged to the challenge source code, but it turned out to be encoded.

source code

I guessed that it was a base64 encoding, but it turned out to be something else. In such situations, I usually rely on tools like CyberChef. I pasted the encoded source code into CyberChefand discovered that it was actually base58 encoding. After decoding it, I obtained the function source code.

try:
spell = base58.b58decode(bytes(spell.encode('utf-8')))
spell = os.popen(f"echo {spell.decode('utf-8')} | bash").read()
if spell != "":
flash(f"Your spell was good, look what did it produce: {spell}", 'success')
else:
flash("your spell wasn't right =(", "danger")
except:
flash("We ran into a problem =(", "danger")
return render_template('quest.html', title="magic quest - result", )

So, when I analyzed the python source code, I noticed the presence of the os.popen method, which is used to execute shell commands. However, there was also a base58decode function that appeared to require a base58-encoded command in order to execute it.

The next step was to use an online base58 encoder. When I encoded the whoamicommand, it returned user.

whoami command base58 encoded

Then, I encoded the ls -lacommand as base58 to list all files in the directory.

ls -la

Finally, I obtained the flag file, and to read its contents, I used the cat flag.txtcommand. Successfully, I obtained the flag.

The flag

The flag was flag{M4g!k_5p3ll_w4s_3ff3ct1v3}

Finally, I have finished the write-up about solving the two web security challenges. I hope you find it enjoyable.

--

--