SharingThoughtProcessviaTacklingRelativelyEasyChallenges
Omar Mohamed
Thanks for sharing!
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ
Hello there! It's Omar. Welcome again to another writrup. First thing I wanna congratulate you of Ramadan month. May Allah accept our fasting and prayers 🌙.
In this writeup we will tackle some relatively easy challenges from ApoorvCTF 2025 but with our thought process along the way. I always needed some writeups like this when I was starting out. So, I hope this will be helpful for you.
There will be 3 types of challenges we will go through, simple one, a bit technical one, and one that involves something new to us. Let's get started
Content
- SEO CEO - Web (Straight forward)
- Blog-1 - Web (A bit technical)
- Ghosted on the 14th - Misc (Wireshark)
SEO CEO
First challenge, when I visited the url I started clicking buttons, looking for some functionalities.
I didn't come across any thing from buttons, were just some blank ones.
In these situations if there is no direct functionalities, the purpose might be some enumeration or a CVE for the some old software used.
I took a look on the page source but not much there, the js files didn't have something useful for us either.
Since brute-forcing is usually not allowed, I tried the first path that came to my mind,
robots.txt.
A fake flag, next I went for the second path that came to my mind,
sitemap.xml.
There was this weird path:
goofyahhroute.
Since he said
it's a yes or no question yeah?, I added ?flag=yes to the url and got the flag.apoorvctf{s30_1snT_0pt1onaL}
Easy enough? Let's move to the next challenge.
Blog-1
This one is more technical.
First when I visited the url, there was a login form. It seems like it will be some kind of application here with functionalities.
In these situations, I just use the app normally to get a bird's eye view of the application. Burp is working in the background to save our history for us later.
Also another useful thing is writing possible attack vectors and ideas when exploring the application.
For example here we have a login page, so I thought that I might need to access an admin account, it may have sql injection? Maybe not because this is a NextJS app ans probably immune to it. (You can use an extesion like Wappalyzer to know the technologies used in the app)
I registered and logged in, and there was my blog posts page
We can add a new post, and we have a
Daily Rewards button.
I can get a daily reward if I wrote 5 posts, let's try that.
I added the first post with no problem, but in the second post I got this warning: Only one blog per day is allowed!
There was also comments functionality, can it has somehting to do with XSS to steal a cookie? this feature didn't work though, I got an error whenever I add a comment
This was very much it from the UI, now let's move to Burp for a deeper look.
From the first look on history,we can see API versions:
/api/v1 and /api/v2. It might be a versioning issue. An old version might leak something.In the requests them selves they had
Authorization with jwt token, so it might be a JWT-related challenge. (Notice I am writing down all my thoughts and ideas)I checked the requests and came across this one:
In adding blog request, it passes a
date in the body, I tried to change it to the next day to see if I can bypass the daily limit. But it didn't work.In these kind of functionalities that has a limit, you can try Race Condition.
So far we have some notes and ideas to try:
- Is it an admin account takeover?
- Is there an SQL injection?
- Is there an XSS in comments?
- Is it a JWT-related challenge?
- Is there an API versioning issue?
- Is there a Race Condition?
Now go through them and try different techniques. I went with the race condition one at first becuase I suspected this
Daily Rewards functionality. That if I can bypass the limit, I can get the flag.I made a new account and sent a request to add a post. Intercepted the request in burp before it goes to the server potentially exploit it via Race Condition.
We can implement Race Condition in many ways, but I used Burp's
tab group feature.First make 5 copies of the request, then click on the
+ -> Crete tab group
Choose all 5 requests and click
createNow next to
Send button, click on the down arrow and choose the last option: Send group in parallel. Now send.When we get the response we notice
201 Created in all responses which indicates success. Back to the website, click on Daily Rewards, we get a youtube link.
And..
It's a joke from the author 🙂. Frankly.. it was unexpected 😆, It's like he Rickrolled you but Skibidi Toilet version 😂😂
Back to the
Daily Rewards request, we notice its endpoint is /api/v2/gift. Change it to /api/v1/gift (The old version) and we got the flag!apoorvctf{s1gm@_s1gm@_b0y}
We got lucky there that the first technique we tried worked. But if it didn't, you have the notes you wrote, play around with them until you figure it out.
Ghosted on the 14th
Next let's talk about when you find something new which you know nothing about. In this example it was wireshark to me. All I know was it's a packet sniffer.
In this challenge I was given a file:
chall.pcap (Download here)I opened it with wireshark
I saw a lot of packets, I didn't know what to do with them, so.. I went to google and started familiarizing myself with it. Also I looked up some other CTF challenges that wireshark was involved in.
Some tips I got out were to filter the packets, look for HTTP requests, look for plain text, and even go through them manually.
This is the url I found when I filtered HTTP requests:
172.200.32.81:8080. I visited it but got nothing. No response.I continued by going through them manually, and eventually I found this:
It is kind of a message from someone called
hawk1, It mentioned the same website url I visited before.Next I filtered by the text
hawk: tcp contains "hawk" and found this:
4 Matches and one of them mentioned a deletion.. so I thought about visitng Way Back Machine to see if I can find it before it was deleted.
And hell yeah! I was right
Viewed the page source and found a base64 encoded string:
YXBvb3JjdGZ7MW1fZzAxbmdfMW41YW4zfQ
Decoded it and got the flag:
apoorvctf{1m_g01ng_1n5an3}
And that's it for this writeup. Hope you learned a thing or two from it. If you have any questions or need help, feel free to reach out to me on Twitter.
Tags:
