old-tickets
CyberEDU
Category
Web Exploitation
Difficulty
Medium
Challenge Overview
We've got to deal with a web challenge that's about some misconfigured ticket system.
Firstly, analyzing page source (CTRL + U) we see this suspicious line:
Our first bug was: d63af914bd1b6210c358e145d61a8abc. Please fix now!
We'll come later to this line
Also,
<form class="form-inline" action="/" method="PUT">
this line is weird because html can only accept POST and GET methods. So that means when a name or message it's written in the form, the request is automatically set to GET Method, that's why we don't get anything when we press 'Submit ticket'
Let's change this with Burp Suite and add POST instead of GET.
Note: You can use BurpSuite Render mode on Repeater to see the interface of the website, instead of 'pretty' option which shows you the page source. That helped me to see the errors better.
We see that error, KeyError: 'code'. This is a clear hint that the server waits for a code, and we can either sent it with curl or burp. My go-to here is BurpSuite and it will always be.
So, we come back to the begging. d63af914bd1b6210c358e145d61a8abc is a MD5 hash that is already cracked on hashes.com -> 1628168161. 1628168161 it's a timestamp (Thu 5 August 2021 12:56:01 UTC).
The logic now is obvious, we can analyze tickets and hope we get a flag, by sending the timestamp to the server in a md5 hash format. Let's try with the one they gave to us.
Note: It's crucial not to forget to add Content-Type: application/x-www-form-urlencoded, so we can send that code. It's not here by-default because the default method that html use is GET, which doesn t include Content-Type header.
Name: Nice one Message: Try harder!
Let's make a script to bruteforce timestamp values.
Bruteforce Python Script
We receive the flag and the correct code from the script: 1628168340.
made by k0d
Last updated