Web Exploitation
{"authors": ["ret2basic"]}

login

Solved by ret2basic

Challenge

My dog-sitter's brother made this website but I can't get in; can you help?
login.mars.picoctf.net

Source Code

'use strict';
(async() => {
await new Promise((e) => {
return window.addEventListener("load", e);
});
document.querySelector("form").addEventListener("submit", (event) => {
event.preventDefault();
const ids = {
u : "input[name=username]",
p : "input[name=password]"
};
const params = {};
for (const i in ids) {
/** @type {string} */
params[i] = btoa(document.querySelector(ids[i]).value).replace(/=/g, "");
}
return "YWRtaW4" !== params.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== params.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(params.p)}.`);
});
})();

Solution

Base64 decode.

caas

Solved by ret2basic

Challenge

Now presenting cowsay as a service
index.js

Source Code

const express = require('express');
const app = express();
const { exec } = require('child_process');
app.use(express.static('public'));
app.get('/cowsay/:message', (req, res) => {
exec(`/usr/games/cowsay ${req.params.message}`, (error, stdout) => {
if (error) return res.status(500).end();
res.type('txt').send(stdout).end();
});
});
app.listen(3000, () => {
console.log('listening');
});

Solution

Command injection:
Command injection