Skip to content

Latest commit

 

History

History
 
 

RAW Agent

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
static
static
 
 
templates
templates
 
 
Description
Description
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
app.py
app.py
 
 
flag.txt.7z
flag.txt.7z
 
 
requirements.txt
requirements.txt
 
 

README.md

Parameter Pollution

Parameters refers to http parameters, so we need to play around with it.

The first thing we see when we visit challenge URL is :-

image

Only Agent Vinod allowed means we need to set "User-Agent" header to Vinod, so intercept request in burp and modify "User-Agent" value.

image

We get the following page after user agent modification

image

Page says we need to pass time atleast -3 hrs than current, we have "Date" header through which we can deal with date and time in request.

image

After sending proper "User-Agent" header to Vinod and "Date" header we get some page related to choosing pokemon and pokemon choosed is Unown.

image image image image

One thing to note here is that the last image of choosen pokemon is a typr of encryption (https://www.dcode.fr/pokemon-unown-alphabet), dcode it and it reveals 1st part of flag "USSERAGENT"

Another thing to observe is Cookie set if we try to decode it with hex decoder 55736572=User, changing it to Admin(41646D696E) reveals new page.

image

image

Setting all flags gives following image with statement "This Is The Ultimate Level ; Everything Is Infront Of You" which gives hint for steganography and we haven't got second part of flag also,

image

Download image and try to use steg tools to extract hidden data (https://stylesuxx.github.io/steganography/)

image

If we try to decode the text "aHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL2ZpbGUvZC8xTmxsVnJtckhkTEhSZ1g2c1Y1MzlMMVp6Ym5SR0N2ZHIvdmlldz91c3A9c2hhcmluZw" with base64 decoder it reveals to be drive link.

image

Opening drive link gives a zip file that is password protected .. Where is password but ... Go back to I choose you page and inspect source code

image

We see certain encrepted thing here which is brainfuck language so decrypt it gives us a list which maybe password list for locked zip file

image

Wordlist :- Rhydon Togepi Milotic Machamp Tyrantrum Psyduck Mewtwo Pachirisu Altaria Magnezone P1k4cHu Dialga Gyarados Dragonite Eevee Luc4r10 Deoxys Zapdos Ch4r1zArD Rotom Gardevoir Unkn0Wn G0dz1lL4 Electrode Escavalier Garchomp Zygarde Blaziken Greninja

Trying to brute-force password gives us password as "Luc4r10". Unlocking file and we get 2nd part of flag.

image

_p4raM37eR_P0llu7iOn

So our flag becomes :- shellctf{USSERAGENT_p4raM37eR_P0llu7iOn}

Hints with point values (cost) :-

  • Hint 1 :- Can you find hidden secret in ultimate stage and unlock it. (10 pts)
  • Hint 2 :- There are three stages (4 different pages till end) in problem which continue till you reach ultimate level , each stage give you some thing useful now or latter.. (50 pts)
  • Hint 3 :- Some need stuff for different stages (50 pts)
  • -- Vinod
  • -- Date
  • -- Cookie and some brainf***
  • -- Stego for ultimate level