PicoCTF2018 – Web – Buttons

PicoCTF2018 – Web – Buttons

Objective:

There is a website running at http://2018shell.picoctf.com:18342 (link [1] ). Try to see if you can push their buttons.

Hints:

                What's different about the two buttons?

Solution:

Okay let’s walk through this site and see what we see.

The first page is a button, not anything interesting in the source code

The second page is a hyperlink named button2 pointing to button2.php

You did it! Try the next button: <a href="button2.php">Button2</a>

This button loads up a page named boo.html which loads a rickroll

But there is a message saying

FORM DISABLED. THIS INCIDENT HAS BEEN LOGGED AND REPORTED TO /dev/null

Lets look in the source here

This looks interesting

<form action="button2.php" method="POST">

Button2.php method post

Let’s load up burp suite and see what we can see

The site map for button2.php is using get

GET /button2.php HTTP/1.1

Host: 2018shell.picoctf.com:18342

User-Agent: Mozilla/5.0 (Linux; Android 7.0; PLUS Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://2018shell.picoctf.com:18342/button1.php

Cookie: _ga=GA1.2.2071281686.1569426948; _gid=GA1.2.36376701.1569426948

Connection: close

Upgrade-Insecure-Requests: 1

But according to the source on boo.html its wanting a POST not GET

Let’s send it over to repeater in burp suite and change to POST

This is the original

Lets change Get to POST and send it to button2.php

Got the flag back

HTTP/1.1 200 OK

Content-type: text/html; charset=UTF-8

Well done, your flag is: picoCTF{button_button_whose_got_the_button_25a99f84}