Web Exploitation

{"authors": ["ret2basic"]}

login

Solved by ret2basic

Challenge

My dog-sitter's brother made this website but I can't get in; can you help?

login.mars.picoctf.net

Source Code

'use strict';
(async() => {
  await new Promise((e) => {
    return window.addEventListener("load", e);
  });
  document.querySelector("form").addEventListener("submit", (event) => {
    event.preventDefault();
    const ids = {
      u : "input[name=username]",
      p : "input[name=password]"
    };
    const params = {};
    for (const i in ids) {
      /** @type {string} */
      params[i] = btoa(document.querySelector(ids[i]).value).replace(/=/g, "");
    }
    return "YWRtaW4" !== params.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== params.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(params.p)}.`);
  });
})();

Solution

Base64 decode.

caas

Solved by ret2basic

Challenge

Now presenting cowsay as a service

index.js

Source Code

const express = require('express');
const app = express();
const { exec } = require('child_process');

app.use(express.static('public'));

app.get('/cowsay/:message', (req, res) => {
  exec(`/usr/games/cowsay ${req.params.message}`, (error, stdout) => {
    if (error) return res.status(500).end();
    res.type('txt').send(stdout).end();
  });
});

app.listen(3000, () => {
  console.log('listening');
});

Solution

Command injection:

Command injection