diff options
| author | Malfurious <m@lfurio.us> | 2022-08-21 14:36:00 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-08-21 14:36:00 -0400 |
| commit | 94efc98b3d75d5520189c2d105541cd09aa3cff7 (patch) | |
| tree | c38042edc85560f9b807d9c58113eea40cda4adf /docs/writeups/angstromCTF_2022/Auth_Skip.txt | |
| parent | 83a7e196cfcefee11e9bed6542b2dd5954b3d055 (diff) | |
| parent | 8456a85a083c7cbc957e6a9176c0c7a608b63283 (diff) | |
| download | lib-des-gnux-94efc98b3d75d5520189c2d105541cd09aa3cff7.tar.gz lib-des-gnux-94efc98b3d75d5520189c2d105541cd09aa3cff7.zip | |
Merge branch 'malf-angstrom-2022'
* malf-angstrom-2022:
Writeup angstromCTF 2022 / whatsmyname
Writeup angstromCTF 2022 / uninspired
Writeup angstromCTF 2022 / baby3
Writeup angstromCTF 2022 / Auth Skip
angstromCTF 2022 results
Diffstat (limited to 'docs/writeups/angstromCTF_2022/Auth_Skip.txt')
| -rw-r--r-- | docs/writeups/angstromCTF_2022/Auth_Skip.txt | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/docs/writeups/angstromCTF_2022/Auth_Skip.txt b/docs/writeups/angstromCTF_2022/Auth_Skip.txt new file mode 100644 index 0000000..a5a4767 --- /dev/null +++ b/docs/writeups/angstromCTF_2022/Auth_Skip.txt @@ -0,0 +1,61 @@ +Clam was doing his angstromCTF flag% speedrun when he ran into the infamous +timesink known in the speedrunning community as "auth". Can you pull off the +legendary auth skip and get the flag? + +Category: web (40 points) +Chall author: aplet123 +Writeup author: malfurious + + + +The website starts on a login page prompting for a username and password, with +the text "Want flag? Been far? Decided to use? Login first." + +As seen in the source code (see below), login supports the username "admin" +whose password is compared to a string that is randomly generated on each +request. However, all that is required to view the flag is to navigate to the +home page with a basic cookie "user=admin", which can be set locally in the +browser or via a curl command. + +> curl -b user=admin https://auth-skip.web.actf.co/ +actf{passwordless_authentication_is_the_new_hip_thing} + + + +Original source (Javascript): index.js +-------------------------------------- +const express = require("express"); +const path = require("path"); +const cookieParser = require("cookie-parser"); + +const app = express(); +const port = Number(process.env.PORT) || 8080; + +const flag = process.env.FLAG || "actf{placeholder_flag}"; + +app.use(express.urlencoded({ extended: false })); +app.use(cookieParser()); + +app.post("/login", (req, res) => { + if ( + req.body.username !== "admin" || + req.body.password !== Math.random().toString() + ) { + res.status(401).type("text/plain").send("incorrect login"); + } else { + res.cookie("user", "admin"); + res.redirect("/"); + } +}); + +app.get("/", (req, res) => { + if (req.cookies.user === "admin") { + res.type("text/plain").send(flag); + } else { + res.sendFile(path.join(__dirname, "index.html")); + } +}); + +app.listen(port, () => { + console.log(`Server listening on port ${port}.`); +}); |