🧑‍🎓 Sourceless Guessy Web (Baby Flag)

🧑‍🎓 Sourceless Guessy Web (Baby Flag)

Category: Web

100 points | 435 solves

Challenge Description

WHY SO SERIOUS? WHY NEED SOURCE?

Contrary to the title of this challenge, you do not need to guess. As usual, do not bruteforce or scan our infrastructure, it is not allowed.

Note: There are two flags for this challenge.

http://sourcelessguessyweb.chall.seetf.sg:1337

For beginners:

Solution

Opening the link to the website provided takes us to a page with some Batman-themed text art.

Screenshot of webpage with text art in the shape of the Batman logo

A hyperlink labelled "WHY NEED SOURCE?" is present on the page. Clicking it takes us to the PHP info page.

Screenshot of phpinfo page

Under http_referer, we find http://sourcelessguessyweb.chall.seetf.sg:1337/?page=whysoserious.

Screenshot of phpinfo page with http_referer field

Visiting that URL, we end up at the original page. This seems vulnerable to a directory traversal attack; we can try to access /etc/passwd by setting page to something like ../../../../etc/passwd. After doing this, the text in the Batman text art changes to the contents of /etc/passwd:

Screenshot of web page containing the contents of /etc/passwd

Screenshot of web page containing the contents of /etc/passwd with text highlighted to show the white text

...
usr sbin nologin SEE 2nd fl4g n33ds RCE g00d luck h4x0r
...

We can combine the words after SEE to form the flag.

Flag

SEE{2nd_fl4g_n33ds_RCE_g00d_luck_h4x0r}
Home / SEETF 2022 / Web / 🧑‍🎓 Sourceless Guessy Web (Baby Flag)