diff options
| author | Malfurious <m@lfurio.us> | 2022-05-07 20:52:36 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-05-07 20:52:36 -0400 |
| commit | e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6 (patch) | |
| tree | c06aaf5476b6b32724dd489316208bac5664a93c | |
| parent | b11373e7e04004dcd0996536b66d200af7610658 (diff) | |
| download | lib-des-gnux-e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6.tar.gz lib-des-gnux-e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6.zip | |
Writeup angstromCTF 2022 / Auth Skip
Signed-off-by: Malfurious <m@lfurio.us>
| -rw-r--r-- | docs/writeups/angstromCTF_2022/Auth_Skip.txt | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/docs/writeups/angstromCTF_2022/Auth_Skip.txt b/docs/writeups/angstromCTF_2022/Auth_Skip.txt new file mode 100644 index 0000000..a5a4767 --- /dev/null +++ b/docs/writeups/angstromCTF_2022/Auth_Skip.txt @@ -0,0 +1,61 @@ +Clam was doing his angstromCTF flag% speedrun when he ran into the infamous +timesink known in the speedrunning community as "auth". Can you pull off the +legendary auth skip and get the flag? + +Category: web (40 points) +Chall author: aplet123 +Writeup author: malfurious + + + +The website starts on a login page prompting for a username and password, with +the text "Want flag? Been far? Decided to use? Login first." + +As seen in the source code (see below), login supports the username "admin" +whose password is compared to a string that is randomly generated on each +request. However, all that is required to view the flag is to navigate to the +home page with a basic cookie "user=admin", which can be set locally in the +browser or via a curl command. + +> curl -b user=admin https://auth-skip.web.actf.co/ +actf{passwordless_authentication_is_the_new_hip_thing} + + + +Original source (Javascript): index.js +-------------------------------------- +const express = require("express"); +const path = require("path"); +const cookieParser = require("cookie-parser"); + +const app = express(); +const port = Number(process.env.PORT) || 8080; + +const flag = process.env.FLAG || "actf{placeholder_flag}"; + +app.use(express.urlencoded({ extended: false })); +app.use(cookieParser()); + +app.post("/login", (req, res) => { + if ( + req.body.username !== "admin" || + req.body.password !== Math.random().toString() + ) { + res.status(401).type("text/plain").send("incorrect login"); + } else { + res.cookie("user", "admin"); + res.redirect("/"); + } +}); + +app.get("/", (req, res) => { + if (req.cookies.user === "admin") { + res.type("text/plain").send(flag); + } else { + res.sendFile(path.join(__dirname, "index.html")); + } +}); + +app.listen(port, () => { + console.log(`Server listening on port ${port}.`); +}); |