Introduction
This year again, I was happy to be part of the organization committee for the GreHack conference and I created some challenges for the CTF. Organization was tricky this year, given that we had grown and sold almost 3x as many tickets as in previous years. Thanks to all the participants, organizers and sponsors, the event was once again complety insane π₯ π
Challenge
- Name :
Smash or Cache - Category :
Web - Difficulty :
Easy - Solves :
3 - Points :
499 - Author :
Nishacid
Have you ever wondered whether a robot smashes you or passes you? With this revolutionary, speed-optimized app, it’s time to find out whether or not you could have won its heart.
Solve
This challenge is a simple web app that allows you to pass a name to the server, and it will return whether the name is a smash or pass.
After a quick analysis of the HTTP Headers, we can see that the application caches every request which contains a GET parameter, and caches it for 30 seconds.
We can also see that the application sets a tracking cookie, and makes a POST request to /monitoring with the cookie and the result. The cookie is stored and cached into the JavaScript code source.
Using a new cache buster, we can inject a value into the cookie, who is reflected into the JavaScript code source and kept in the cache.
Which gives us an alert.
According to this, we can craft a payload to exfiltrate the cookie of the bot.
We now need to send it to the bot with the report page, and wait for the flag.
After URL-decoding the flag, we can see the final flag.
- Flag :
GH{f0r_m3_iT_w1ll_b3_a_c4cH3<3}
Resources
- https://portswigger.net/web-security/web-cache-poisoning
- https://book.hacktricks.xyz/pentesting-web/cache-deception#cache-poisoning
- https://www.youtube.com/watch?v=85XtXOhMd2Y (π«π·)
