summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorMalfurious <m@lfurio.us>2022-05-07 20:52:36 -0400
committerMalfurious <m@lfurio.us>2022-05-07 20:52:36 -0400
commite2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6 (patch)
treec06aaf5476b6b32724dd489316208bac5664a93c /docs
parentb11373e7e04004dcd0996536b66d200af7610658 (diff)
downloadlib-des-gnux-e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6.tar.gz
lib-des-gnux-e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6.zip
Writeup angstromCTF 2022 / Auth Skip
Signed-off-by: Malfurious <m@lfurio.us>
Diffstat (limited to 'docs')
-rw-r--r--docs/writeups/angstromCTF_2022/Auth_Skip.txt61
1 files changed, 61 insertions, 0 deletions
diff --git a/docs/writeups/angstromCTF_2022/Auth_Skip.txt b/docs/writeups/angstromCTF_2022/Auth_Skip.txt
new file mode 100644
index 0000000..a5a4767
--- /dev/null
+++ b/docs/writeups/angstromCTF_2022/Auth_Skip.txt
@@ -0,0 +1,61 @@
+Clam was doing his angstromCTF flag% speedrun when he ran into the infamous
+timesink known in the speedrunning community as "auth". Can you pull off the
+legendary auth skip and get the flag?
+
+Category: web (40 points)
+Chall author: aplet123
+Writeup author: malfurious
+
+
+
+The website starts on a login page prompting for a username and password, with
+the text "Want flag? Been far? Decided to use? Login first."
+
+As seen in the source code (see below), login supports the username "admin"
+whose password is compared to a string that is randomly generated on each
+request. However, all that is required to view the flag is to navigate to the
+home page with a basic cookie "user=admin", which can be set locally in the
+browser or via a curl command.
+
+> curl -b user=admin https://auth-skip.web.actf.co/
+actf{passwordless_authentication_is_the_new_hip_thing}
+
+
+
+Original source (Javascript): index.js
+--------------------------------------
+const express = require("express");
+const path = require("path");
+const cookieParser = require("cookie-parser");
+
+const app = express();
+const port = Number(process.env.PORT) || 8080;
+
+const flag = process.env.FLAG || "actf{placeholder_flag}";
+
+app.use(express.urlencoded({ extended: false }));
+app.use(cookieParser());
+
+app.post("/login", (req, res) => {
+ if (
+ req.body.username !== "admin" ||
+ req.body.password !== Math.random().toString()
+ ) {
+ res.status(401).type("text/plain").send("incorrect login");
+ } else {
+ res.cookie("user", "admin");
+ res.redirect("/");
+ }
+});
+
+app.get("/", (req, res) => {
+ if (req.cookies.user === "admin") {
+ res.type("text/plain").send(flag);
+ } else {
+ res.sendFile(path.join(__dirname, "index.html"));
+ }
+});
+
+app.listen(port, () => {
+ console.log(`Server listening on port ${port}.`);
+});