USCG IV: Web
Last updated
Last updated
Open, (room, author) : Web (category) : Ding-O-Tron (title) : "What came first? The ding…or the flag? https://uscybercombine-s4-web-ding-o-tron.chals.io"
Solution: This one can be solved in Firefox DevTools "Console" by running a JavaScript function (i.e. superSecretFunction_aedc5da1f121b797). BUT GETTING THERE IS A JOURNEY. We're told that 9000+ clicks of a bell can trigger the flag. So I tried: a) changing the HTML counter to "9001" in Inspector, b) changing the HTML counter to "8999" before clicking the bell twice, and c) creating a script to run the onclick="window.ding()" function overnight. NONE OF THESE WORKED.
Then I noticed that "giveFlag()" was commented out of the main.js file, all the way at the bottom. BUT IT WAS A TRICK. Running that in "Console" triggered a .wav file of the . And this message: "[LOL] Did you think it would be that easy? Can you find my secret hidden function?"
Doing a search for "secret" in Debugger or just trying the autocomplete in Console (which the creator had intended) doesn't work. The better choice is to run the JavaScript command "window" in the console to get an expandable tree of all the functions. This reveals a "superSecretFunction", along with its 'dynamic function name' (a random string). Running that in Console, prints the flag.
Alternative: 10splayaSec says "you can also list all the functions in the console and see there was a secret function" by running:
For functions with their values, run "keys(window)" or:
Flag: SIVUSCG{d1ng_d1ng_d1ng_d1ng}
===
Beginner's, N/A (room, author) : Web (category) : Touch-Grass (title) :
"ARIA has ordered you to touch grass. Now you actually have to do it. Make up for all the times you havent touched it. https://uscybercombine-touch-grass.chals.io"
Solution: Get into the site by registering as a user, then create an admin account. As an admin, increase a web counter over 100000 times for the flag. On the homepage, clicking on "Grass Dashboard" (aka '/dashboard') gets us the login page (aka '/login'). From there, a "Register" button takes us to a "User Registration" page (aka '/register'). When we look at the DevTools "Debugger" or "Network" tab, we'll notice "register.js" gets loaded along with '/register'. "register.js" handles user registration. It takes data from a form you filled out at '/api/register', sends it (via POST request) as a JSON string, and if the web server says OK (aka Response code "200"), it takes you back to '/dashboard', but as a logged in user. But most importantly, it mentions a hidden page specifically for admin user registration (aka '/admin/api/register'):
I filled out the registration form as a user named "Harold Finch", "hfinch", with the password "Machine". The site gets these as a JSON string: {"username": "hfinch", "first_name": "Harold", "last_name": "Finch", "password": "Machine"} (NOTE: While the '/register' page has no character limit, '/login' strangely has a "Max-Length" of "6" for passwords. Unfortunately, my password is more than 6 characters. To bypass this, I must change the Max-Length using the DevTools "Inspector" tab whenever I log in.)
Viewing '/dashboard' as a registered user, its source code now reveals how the "Touch Count" counter works, which is by sending POST requests to '/api/click':
<!-- Put clickable image of grass here. Need javascript to send POST when clicked -->
<!-- New click API at /api/click, remove the admin version ASAP -->
Opening '/api/click' in the browser means I'm summoning as GET, so it gives a 405 "Method Not Allowed" error. Using the DevTools "Network" tab, I can right-click and "Edit and Resend" this request using POST. This time, it gives a 401 "Unauthorized" error and a JSON Response that "Input must be JSON". I realize I need to be an admin and find what the JSON string for 'click' should look like.
To create an admin user, I do "Edit and Resend" on '/register' and craft my request. For the request to work, I must: * Ensure "Content-Type" is set to "application/JSON" * Ensure "Cookie" session ID value is included * Ensure it's a POST request * Change the endpoint from '/register/' to '/admin/api/register' * Include this JSON string in the "Body": {"username": "bear", "first_name": "good", "last_name": "dog", "password": "bone"} * Ensure every term in that JSON string is in quotes so JSON can read it When it works, I get a JSON Response of "Registration successful".
I log in as my admin account "bear" and do a POST request to '/api/click' by modifying '/dashboard' using "Edit and Resend". Again, ensure "Content-Type" and "Cookie" is included. In the "Body", {"username":"bear"} is required for this to work. When it works, we get the message: "API Deprecated, please use the Admin API". I guess the Admin API must be '/admin/api/click' and resubmit my request, but that gives "Missing count Parameter". So I change the JSON string in the "Body" to: {"username":"bear", "count":"100001"}. Now the message is "Count updated"! Refresh the '/dashboard' page and the flag appears!
Flag: SIVBGR{T0uch_1t}
===
Beginner's, N/A (room, author) : Web (category) : Parts Shop (title) :
"We’ve found an online shop for robot parts. We suspect ARIA is trying to embody itself to take control of the physical world. You need to stop it ASAP! (Note: The flag is located in /flag.txt) https://uscybercombine-s4-parts-shop.chals.io"
On the homepage, there's in-line JavaScript mentioning '/parts' and '/blueprint'. '/blueprint' shows a form that creates the entries you see on the homepage. This form uses in-line JavaScript to submit your data on the form as an XML "payload":
Navigating to '/parts' reveals XML coded text, which is the same text that shows up on the homepage:
Refreshing the homepage will show us the flag.
Alternative: The payload as a cURL command:
Flag: SIVBGR{fu11y_upgr4d3d}
Further Reading: BlueDolphin (aka CyberDonald aka ) did a deeper dive on JavaScript functions .
Solution: Exploit an XXE (i.e. "") injection vulnerability to get the flag.
The first three "id" of "parts" are "1" through "3", and the one I created is "8494". What matters here is that we can talk to the web server using XML data. This means the site is vulnerable to an attack.
In , my "8494" payload to '/blueprint' should've saved to my FireFox DevTools, so I can conveniently "Edit and Resend". But it only saved the POST request. So I crafted the payload with the malicious injection from scratch before sending it as a "New Request" in the "Network" tab:
