--- title: 'Project documentation template' disqus: hackmd --- My Progress :> === [TOC] Picoctf --- ### Get aHEAD _ It gives you a website that has 2 options for red and blue. _So this challenge demands you to use Burpsuite to change the method to get the proper response. Because the challenge's name is GET a HEAD _You use Burpsuite to connect to the website, and see that the Blue button use POST request, so that send it to repeater and change the method of the request to HEAD and the flag will appear in response.   ### hiddenfiles? ### Cookies ### bookmarklet `Why search for the flag when I can make a bookmarklet to print it for me?` As the challenge mentioned, i search for [bookmarklet](https://www.freecodecamp.org/news/what-are-bookmarklets/) and found out that it is used as a bookmark, and can be used to execute javacode :0 Here is the challenge, it already has a script  Simply bookmark the website and edit the URL, substitute it with the Java code  And when you click the bookmark again, the flag pop up:3  > Flag: picoCTF{p@g3_turn3r_cebccdfe} ### It is my birthday This challenge describes md5 hash collosion, and i looked it up and found [a link](https://www.mscs.dal.ca/~selinger/md5collision/)  This challenge demands you to upload 2 files that look similiar. The link i described before clarify the md5 hash collosion, and it has a demo of 2 identical file. You just need to download these 2 files and then convert it to pdf(add .pdf) and upload:)  and then you got da flag:> > Flag: picoCTF{c0ngr4ts_u_r_1nv1t3d_aad886b9} ### logon? ``` The factory is hiding things from all of its users. Can you login as Joe and find what they've been looking at? ```  Everything seem normal:) now we try to log in to see what will happen.  It seem that i have logged in but still not get the flag. With the login thing or admin on web, we should check the cookie first.  It has the value admin and it is False, so we modify it :))) to make it True. Andd here come the flag:3  > Flag: picoCTF{th3_c0nsp1r4cy_l1v3s_0c98aacc} ### Web decode ``` Do you know how to use the web inspector? ```  Nothing special about the website. But yeah :))) as it said, inspect all the website, and in about section i found something  As in the hint say that the flag might be encryted, so i use cyberchef to decode it and get the flag:3 > Flag: picoCTF{web_succ3ssfully_d3c0ded_df0da727} ### Dont-use-client-side ``` Can you break into this super secure portal? ```  i just inspect the source code and found this:) > Flag: picoCTF{no_clients_plz_b706c5} ### Who are you ``` Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn ```  First we see that it demands to use PicoBrowser. I check the sourcecode and inspect the website but found nothing, so i think of using burpsuite repeater to change my browser to PicoBrowser.  Here i have used PicoBrowser, and new request pop up, "I don't trust users visiting from another site." So i think that we get access to this site just from this site, not another site so i use referer header to indicate the previous website which link to current website is this site.  And now it says that "this site only worked in 2018". So i think of the header that set time of the request, so i use Date header.  I searched for HTTP header about track and found DNT(Do Not Track), so i just add more header C:  It just want people from sweden, and the thing that indicate your address is IP:)), so i searched the header for IP address and found X-Forwarded-For(XFF) indicating the IP address of client. To use it you need sweden IP address, just search it on the internet, it has an IP ranged of sweden:)  It's about language, just need to add language header.  Andd finally the flag pop up, through many request @@ > Flag: picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_8d5d8d77} ### Includes ``` Can you get the flag? ```  First we look at the source code  I saw the index.js file, so i opened and look at it and i saw this  this look like something got encrypted, so i use cyberchef to decrypte it  And tada, the flag! > Flag: picoCTF{53rv3r_53rv3r_53rv3r_53rv3r_53rv3r} ### Search source ``` The developer of this website mistakenly left an important artifact in the website source, can you find it? ``` In the hint, it says that you can mirror the website locally to solve this probliem, so i mirror the website using httrack.  After downloaded it, we can see many files has been downloaded, but the data is too much, how can we filter it? Now that grep come in to use, it is a powerful tools to filter data.\  And the flag comes:) > Flag: picoCTF{1nsp3ti0n_0f_w3bpag3s_ec95fa49} ### SOAP ``` The web project was rushed and no security assessment was done. Can you read the /etc/passwd file? ``` ### Tools:) XXS vul (get admin cookies)(https://forum.portswigger.net/thread/how-to-fetch-cookies-cca5974eb53d091)(fking fetch) html things :v flask-unsign : tools for website used flask application. cookies change extension burpsuite +use repeater to send header Hashes are "digests", not "encryption" [hash thing ](http://www.unixwiz.net/techtips/iguide-crypto-hashes.html) mirror the website locally :000 [mirror](https://www.youtube.com/watch?v=PZlbmV20gOw) or use httrack;-; wget sucks grep to find the information in linux, good for searching XML REGEX https://github.com/WebAssembly/wabt