blob: a5a47677163403d81048fc14b6c6f45a86c8fbd1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
Clam was doing his angstromCTF flag% speedrun when he ran into the infamous
timesink known in the speedrunning community as "auth". Can you pull off the
legendary auth skip and get the flag?
Category: web (40 points)
Chall author: aplet123
Writeup author: malfurious
The website starts on a login page prompting for a username and password, with
the text "Want flag? Been far? Decided to use? Login first."
As seen in the source code (see below), login supports the username "admin"
whose password is compared to a string that is randomly generated on each
request. However, all that is required to view the flag is to navigate to the
home page with a basic cookie "user=admin", which can be set locally in the
browser or via a curl command.
> curl -b user=admin https://auth-skip.web.actf.co/
actf{passwordless_authentication_is_the_new_hip_thing}
Original source (Javascript): index.js
--------------------------------------
const express = require("express");
const path = require("path");
const cookieParser = require("cookie-parser");
const app = express();
const port = Number(process.env.PORT) || 8080;
const flag = process.env.FLAG || "actf{placeholder_flag}";
app.use(express.urlencoded({ extended: false }));
app.use(cookieParser());
app.post("/login", (req, res) => {
if (
req.body.username !== "admin" ||
req.body.password !== Math.random().toString()
) {
res.status(401).type("text/plain").send("incorrect login");
} else {
res.cookie("user", "admin");
res.redirect("/");
}
});
app.get("/", (req, res) => {
if (req.cookies.user === "admin") {
res.type("text/plain").send(flag);
} else {
res.sendFile(path.join(__dirname, "index.html"));
}
});
app.listen(port, () => {
console.log(`Server listening on port ${port}.`);
});
|
