Tags: web
Rating:
# Description
Groot is in dire need of some crucial intel about the Bank of Knowhere, but they only share such classified information with their inner circle. In order to become a member of their inner circle, one must have at least 2000₳ - Units in their bank account. Can you lend a hand to Groot in acquiring this information? Remember, as Peter Quill once said, "We're the frickin' Guardians of the Galaxy, we're supposed to protect the galaxy, not destroy it!"
http://knowhere.hackers.best:31337/ OR spaceheroes-bank-of-knowhere.chals.io
# Solution
## Recon
- First we head to the link and we're greeted with this webpage :
- The source code has nothing interesting as it's just HTML
- Navigating to http://knowhere.hackers.best:31337/robots.txt, we see this :
- Interesting! now if we navigate to http://knowhere.hackers.best:31337/admin.php we see this :
## Trial and error
- This challenge slapped me in the face and then threw me with all my pentesting knowledge out of the window, I completely failed this challenge x)
- My initial plan was to intercept the request using Burpsuite and change some parameter, I went ahead and did exactly that :
- But then I was quickly slapped in the face with this response :
- Welp, that was aweful ^^', let's try to URL encode the receiver or add a null byte :
- It didn't quite like it...
- I literally ran out of ideas for like a whole day, then tried something that seemed to be stupid at first, but I quickly recognized the vulnerability as parameter injection!
# Execution
- The solution was to add another receiver to the parameters, as the server checks for the first valid match only, we can add "Groot" as our second receiver :
- Now if we check, we see that "Groot" has more than 2000 units :
- Navigating to http://knowhere.hackers.best:31337/admin.php again, we are greeted with this amazing webpage :
# Flag
shctf{7h3_c0sm0s_1s_w17h1n_u5}
