S3CR3T - CTF 44

CTF Name: S3CR3T

Topic: Web Exploitation

Level: Beginner

Flag Format: IHC_CTF{}

CTF Link: https://t.me/ctf_invisiblehc/78

Description: 

Visit the following site and find the secret folder to get the flag.

Solution:

When we open challenge site link, the web page show us:

Find the secret folder and access this folder with proper permission

 

to find a secret folder. we check robots.txt by adding "/robots.txt" to the website's address.

In the robots.txt file, we find two paths: "/admin.php" and "index.txt" . But when we try to go there, it says we don't have permission.

We notice that file changed index.php to index.txt, so we try the same thing with /admin.php  change it to /admin.txt

When we visit that, we see this:

if user == admin {

    url.open("/S3CR37")

} else {

    print("You have no permission")

}"

After opening this path  "/S3CR37" we see this text:

"You're almost there. Try hard."

We Checking the cookies, we find one named "user," and its value was "user" 

We fix it by changing the value to "admin" and that shows us the flag.

flag: IHC_CTF{Y0U_G07_P3RM15510N_201}

Join Our CTF Channel:

https://t.me/ctf_invisiblehc