Web Exploitation
{"author": ["ret2basic"]}

login

Solved by: ret2basic

Challenge

My dog-sitter's brother made this website but I can't get in; can you help?
login.mars.picoctf.net

Source Code

1
'use strict';
2
(async() => {
3
await new Promise((e) => {
4
return window.addEventListener("load", e);
5
});
6
document.querySelector("form").addEventListener("submit", (event) => {
7
event.preventDefault();
8
const ids = {
9
u : "input[name=username]",
10
p : "input[name=password]"
11
};
12
const params = {};
13
for (const i in ids) {
14
/** @type {string} */
15
params[i] = btoa(document.querySelector(ids[i]).value).replace(/=/g, "");
16
}
17
return "YWRtaW4" !== params.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== params.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(params.p)}.`);
18
});
19
})();
Copied!

Solution

Base64 decode.

Flag

1
picoCTF{53rv3r_53rv3r_53rv3r_53rv3r_53rv3r}
Copied!

caas

Solved by: ret2basic

Challenge

Now presenting cowsay as a service
index.js

Source Code

1
const express = require('express');
2
const app = express();
3
const { exec } = require('child_process');
4
5
app.use(express.static('public'));
6
7
app.get('/cowsay/:message', (req, res) => {
8
exec(`/usr/games/cowsay ${req.params.message}`, (error, stdout) => {
9
if (error) return res.status(500).end();
10
res.type('txt').send(stdout).end();
11
});
12
});
13
14
app.listen(3000, () => {
15
console.log('listening');
16
});
Copied!

Solution

Command injection:
Command injection

Flag

1
picoCTF{moooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0o}
Copied!
Last modified 5mo ago
Copy link
Contents
login
caas