ASCyberWargames2021 Qualifications | Retention | Web Challenge Walkthrough
In this post, I am going to walk you through a Web CTF challenge from Arab Security Cyber Wargames 2021 Qualifications, Hope you enjoy reading!
Retention | 600 points
Challenge description:
The second time you visit us the loading would be faster. The flag must start with ASCWG❴…answer❵
First, let’s check the challenge link
There are many pages, nothing interesting except the login.php and contact.php
Start with login.php:
I tried to login with some common default credentials, also tried to find SQL injection, and had no result.
But I want to check if there is a leading page if there is a successful login attempt, so I tried with Dirsearch and found that there is a PHP file called account.php.
For contact.php:
This is a usual contact form, except the URL input field that accepts URLs from users so that the administrator will visit them later, which is unusual!
So tried with google.com and the response comeback with failExternal, and give me a message that said we should enter only local IPs/Domains!
Let’s try with localhost or any internal IPs
The same failed response.
Maybe I can try with any other schema like file:// or data://
but it was not acceptable.
Tried to bypass these restrictions on this input but all I get is the same failed response.
The challenge description has very useful information
“The second time you visit us the loading would be faster”
which may refer to something related to caching!
Later, there was a hint from the challenge author to all users:
“Hint: you can use this “172.20.9.14” in Retention”
Tried with the given IP to see the response
So, here we need to cache a page from the internal network, but which one? and how?
The page that we believe it exists and may contain useful information is account.php, so tried to make a Cache Poisoning Attack on this page so if we tried to visit it from our end, we can find credentials or any tokens.
Tried to send 200 requests with burp intruder then visited the page, sadly, it redirects me to login.php.
Come to my mind to use DNS rebinding, so I can make the first DNS record point to my server and the second one to the internal IP “172.20.9.14”
But again the Link input does not accept any domains.
As the account.php page redirects me to login.php, May I can use Cache Deception Attack by requesting a file that is usually cashed by the proxy server, and the files I mean here are the javascript and CSS files.
So let’s try it!
I tried to request the file to see if it was cached!
We got the flag on the account.php file!
Flag: ASCWG{C4ch!nG_N0t Alw4Ys_7HE_BESt_solution!!!}
Don’t forget to check the Write-ups for the rest of the challenges that written by my great teammate Abdalla Tarek, check them out from Here!
Team: FireFall
Rank: 2 — Qualified to finals!
