Intigriti 1337Up Live 2024-CTF Web Challenges

بسم الله الرحمن الرحيم والصلاه والسلام على سيدنا محمد Hey there, this is SirReda (AKA 0xHunterr), and this is a walkthrough for the Web challenges I solved in Intigriti 1337 Up 2024-CTF

Pizza Paradise

static site with almost no functions and the page source code has nothing interesting, moving forward to check for robots.txt

User-agent: * Disallow: /secret_172346606e1d24062e891d537e917a90.html Disallow: /assets/

html page

checking the source code, noticed interesting scripts

//auth.js file  
const validUsername = "agent_1337";  
const validPasswordHash = "91a915b6bdcfb47045859288a9e2bd651af246f07a083f11958550056bed8eac";  
  
function getCredentials() {  
    return {  
        username: validUsername,  
        passwordHash: validPasswordHash,  
    };  
}

 <script>  
            function hashPassword(password) {  
                return CryptoJS.SHA256(password).toString();  
            }  
  
            function validate() {  
                const username = document.getElementById("username").value;  
                const password = document.getElementById("password").value;  
  
                const credentials = getCredentials();  
                const passwordHash = hashPassword(password);  
  
                if (  
                    username === credentials.username &&  
                    passwordHash === credentials.passwordHash  
                ) {  
                    return true;  
                } else {  
                    alert("Invalid credentials!");  
                    return false;  
                }  
            }  
        </script>

cracking the hash with crackstation,

log in with the credentials I have agent_1337:intel420

the download process work with a GET req to [https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/topsecret1.png](https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=%2Fassets%2Fimages%2Ftopsecret1.png)

testing path traversal in that query param https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/../../../../../etc/passwd and it worked

trying the /flag.txt but the file not found, so instead of guessing the file let’s download the source code php file [https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/../../topsecret_a9aedc6c39f654e55275ad8e65e316b3.php](https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=%2Fassets%2Fimages%2F..%2F..%2Ftopsecret_a9aedc6c39f654e55275ad8e65e316b3.php)

in the very beginning

flag: INTIGRITI{70p_53cr37_m15510n_c0mpl373}

BioCorp

again with a static basic site, let’s head into provided code:

nothing interesting except panel.php file found a hidden panel with strict access by some kind of a header and IP to access it, we can use curl commands or match and replace in Burp:

It displays the XML data from the nuclear equipment. However, it also accepts data via a POST request.

if ($_SERVER['REQUEST_METHOD'] === 'POST' && strpos($_SERVER['CONTENT_TYPE'], 'application/xml') !== false) {
    $xml_data = file_get_contents('php://input');
    $doc = new DOMDocument();
    if (!$doc->loadXML($xml_data, LIBXML_NOENT)) {
        echo "<h1>Invalid XML</h1>";
        exit;
    }
} else {
    $xml_data = file_get_contents('data/reactor_data.xml');
    $doc = new DOMDocument();
    $doc->loadXML($xml_data, LIBXML_NOENT);
}

$temperature = $doc->getElementsByTagName('temperature')->item(0)->nodeValue ?? 'Unknown';
$pressure = $doc->getElementsByTagName('pressure')->item(0)->nodeValue ?? 'Unknown';
$control_rods = $doc->getElementsByTagName('control_rods')->item(0)->nodeValue ?? 'Unknown';

XML is everywhere, the next step is clear which is to test for XXE the situation here is basic we can use the basic XXE to get the flag using external entities like:

and here we go flag: INTIGRITI{c4r3ful_w17h_7h053_c0n7r0l5_0r_7h3r3_w1ll_b3_4_m3l7d0wn}

That’s we reached the end hope you enjoyed see you If you have any questions, You can reach me through my social accounts: Twitter(X) | Linkedin | Github |Facebook