WEB

This section is specifically for WEB challenge

Bookmarklet

First challenge that i solve in PicoCTF2024 is bookmarklet. What is bookmarklet?

A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands that add new features to the browser. They are stored as the URL of a bookmark in a web browser or as a hyperlink on a web page.

One of the use cases of bookmarklet is to hide option in the webpage.

This is the one of the example bookmarklet. The bookmarklet code is look like this in the challenge:

        javascript:(function() {
            var encryptedFlag = "àÒÆަȬë٣֖ÓÚåÛÑ¢ÕӖәǡ”¥Ìí";
            var key = "picoctf";
            var decryptedFlag = "";
            for (var i = 0; i < encryptedFlag.length; i++) {
                decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256);
            }
            alert(decryptedFlag);
        })();
    

As shown in code snippet above there is variable 'encrypted flag' which is, it hold the flag but the flag is encrypted. How to decrypt the flag?

My method, i run the code in browser console. You can find it by go to the inspect element and then find the console tab. For first time using console in the web browser, you may need to type 'allow paste' to allow the console run code from unknown resource.

After copy and paste the bookmarklet code, just press enter to run the code. After that, browser will pop out the flag.

WebDecode

Next challenge is WebDecode. I think this is the easiest challenge in PicoCTF 2024. It is because the challenge description is clear which is 'web inspector'. Means, probably flag hidden in this challenge is inside source code of the web.

This is the website you will have after click the link.

After a few source code review at every page that have in the website, there is a strange string which is a base64 encoded at about page.

After decode the base64 using base64 online decoder, yes i obtain the flag.

Unminify

For this challenge, it quite same with WebDecode challenge above which is we need to do source code review but it's little complicated.

The source code display after using 'view-source' function is like this. But since we know the flag format is 'picoCTF' so we can use 'find' function in web browser to find the flag more quicker.

This is the real flag.

IntroToBurp

For this challenge we need to use burp suite to obtain the flag.

This is the webpage for this challenge. Just fill in the form and then click register.

After click register, it will bring to us 2fa authentication page. Just enter anything in the OTP field. But before click submit button, make sure to turn on 'intercept' in the burp suite.

You will have an intercept content of the 2fa authentication page. How to bypass it? There are a few method. The easiest one is we can create a white space above "otp=". Just simply space 2 times above the "otp=".

It will become like this after we create 2 times white space above the "otp=". After that click forward then see the web behavior.

After click forward in the burp suite, we get the flag.

Trickster

Next challenge is Trickster. For this challenge we need to bypass file upload.

This is the challenge page. As we can see, this file upload page only accept PNG file. So, we need to upload reverse shell but make it looks like PNG file.

I try to upload a normal web reverse shell file but the file upload server has extension validation protection which is if the file we upload doesn't have '.png' extenstion it will refuse the file. All we need to do is rename our web reverse shell file to <filename.png.php>.

After rename the web reverse shell file and try upload it again the upload server can detect it is not a valid PNG file. This means, the upload server have another protection which is magic byte. This protection will check whether the file has hex value of the valid file or not. If not, the upload server will refuse the file.

In order to bypass the protection, we need to add PNG header in the web reverse shell file to make it same as PNG file.

After that, try again upload the modified web reverse shell, you will get a successful message. That means, your file has been uploaded. Now let's find where the file is located.

Using dirsearch to find interesting directory. As we can see above, we can found there is upload directory. To access our web reverse shell file <challenge_link/uploads/web_reverse_shell_file>.

After that, we will get something like this. We can run command like cat,ls,find in the field.

To find the flag, i use command ' find / -name *.txt* '. This command will find all file with '.txt' extension in every directory in the web server. As we can see above there is interesting text file which is ' GNTDOMBWGIZDE.txt '. Let's view the file.

To view the file, simply run cat command with directory of ' GNTDOMBWGIZDE.txt ' in the field. It should look like this ' cat /var/www/html/GNTDOMBWGIZDE.txt '. After that, you will get the flag.