# 🚩YCTF0x02

## 1. Easy

**Category:** Reverse Engineering

**Description:** Dude, It's an easy challenge.

**Challenge file: \<link>**

**Credit:** [**Munazir**](https://app.gitbook.com/o/hOqIsjXHa5XG12ypLZ9z/s/YfiZJNM9tM6hwcuBSR4G/)

Solution: Executing the binary on linux asks for the password.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FeyIrJDNl7DsUcY0xKIHe%2Fimage.png?alt=media&#x26;token=4071205f-f357-4e02-9507-61ebce405813" alt=""><figcaption></figcaption></figure>

Now, use strings to get the exact matching pattern for passphrase.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FtryCu82mMQ3OKgDoIMwn%2Fimage.png?alt=media&#x26;token=7b5780b6-9047-4ec0-880e-8b0dbccacdd9" alt=""><figcaption></figcaption></figure>

We got some strange string `4/*A1zqi!*9` before the Passphrase, let's try to enter the string when asked for the password.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FSu3UcTCpRuNzxygWIA0d%2Fimage.png?alt=media&#x26;token=58944208-5be7-463b-9332-c4f34f41c7e1" alt=""><figcaption></figcaption></figure>

After we enter the passphrase, we get something in HEX format.&#x20;

`594354467b336173795f7233765f643065736e315f723371753172335f627261316e7d`

Pasting on cyberchef, we get the actual flag.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FdpwCl0QR4pWlgfb60ywC%2Fimage.png?alt=media&#x26;token=560c5f13-de7f-4935-8291-c0bbb5609cc2" alt=""><figcaption></figcaption></figure>

## 2. Never found

**Category:** Miscellaneus

**Description:** My friend is spying on our ycfteam website. But the page he was trying to access was never found later.

**Link:** [**https://ycfteam.in**](https://ycfteam.in)

**Credit:** [**Munazir**](https://app.gitbook.com/o/hOqIsjXHa5XG12ypLZ9z/s/YfiZJNM9tM6hwcuBSR4G/)

**Hint:**&#x20;

**Solution: Understand the challenge name and description, what does it say?**&#x20;

**`Never found` Which indicated/ similar to Not found. searching the Archive web for the 404 not found page on `https://ycfteam.in/404`,**&#x20;

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FniEYtohR0elhTuyprw65%2Fimage.png?alt=media&#x26;token=1135e4fd-3e52-4989-bac2-50d55f33e0d0" alt=""><figcaption></figcaption></figure>

**We get the flag!**

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2F1HA1CxAWBPc0wPflUjj2%2Fimage.png?alt=media&#x26;token=96196898-42c5-4ac9-a494-5a40d25ffb0b" alt=""><figcaption></figcaption></figure>

## 3. Cookie&#x20;

**Description:** Well, there is only one way to survive.

**Link:** [**https://cookiechallenge.pythonanywhere.com/**](https://cookiechallenge.pythonanywhere.com/)

**Credit:** [**Munazir**](https://app.gitbook.com/o/hOqIsjXHa5XG12ypLZ9z/s/YfiZJNM9tM6hwcuBSR4G/)

**Solution:** Visiting the URL, we get the following page to enter the name. Some of you might think it is vulnerable to XSS. But hold on!

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FXaxZYu13bSiLEFcelImf%2Fimage.png?alt=media&#x26;token=91824608-4d01-4b55-b34d-3c861f791204" alt=""><figcaption></figcaption></figure>

Directory bruteforcing will lead to the following result which reveals `/cookie` and `/robots.txt`

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FBOPv4IfebCpmb99ZSFsn%2Fimage.png?alt=media&#x26;token=a753dce8-829e-4c3d-809b-95b5c3c58ff3" alt=""><figcaption></figcaption></figure>

Visiting the robots.txt, we get another directory `/sup3r_s3cr3t_d1r`

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FjVcfnVkiAotaifPF0fNI%2Fimage.png?alt=media&#x26;token=4f3403b0-4b4d-4cb5-bcb9-c0c633ab28dc" alt=""><figcaption></figcaption></figure>

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2Fi6J8TEcMZBFYTZO6QGgI%2Fimage.png?alt=media&#x26;token=1234033f-a3f9-4356-bed1-6c561480d0e5" alt=""><figcaption></figcaption></figure>

Visiting `/cookie` directory to get the cookie, and we get the JWT token.&#x20;

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FfO7zwWT3FAmtvnC0SJxF%2Fimage.png?alt=media&#x26;token=da423d9c-7b91-4652-ab6d-abec8df738ec" alt=""><figcaption></figcaption></figure>

Take the token and paste it on <https://token.dev> change the values as admin: true and answer: yes

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2Ff4s7mubG78ZoD0xFnWGt%2Fimage.png?alt=media&#x26;token=16d06379-c019-423c-9563-7f0f9c759a9c" alt=""><figcaption></figcaption></figure>

Now visit the `/cookie` again and change the cookie and refresh the page.

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2FTysCx9Na7Et6q1xOfOGf%2Fimage.png?alt=media&#x26;token=01480f32-98b7-43ab-b29d-bb7b75fa375f" alt=""><figcaption></figcaption></figure>

Then visit the `/sup3r_s3cr3t_d1r` again to get the flag!!!!

<figure><img src="https://829309341-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYfiZJNM9tM6hwcuBSR4G%2Fuploads%2F3MTznitrxQONQO5cKG0r%2Fimage.png?alt=media&#x26;token=ee4f96a5-0250-4752-9f52-2f1d0ee7f148" alt=""><figcaption></figcaption></figure>

## 4. IE10.1

**Description:** Don't run away from problems; facing and solving them is the key to success.

**Link**: <http://yctfinternet.liveblog365.com/>

**Credit:** Gourav Suram

**Writeup link:** [**https://heapbytes.gitbook.io/notes/ctf-writeups/2023-ctfs/yctf-week-2-9-dec-23/web-security**](https://heapbytes.gitbook.io/notes/ctf-writeups/2023-ctfs/yctf-week-2-9-dec-23/web-security)&#x20;

## 5. Confluence

**Description:** Help my friend to download the flag.

**Link:** [**http://139.59.45.27:8090/admin/flag.tar.gz**](http://139.59.45.27:8090/admin/flag.tar.gz)

**Credit:** [**Munazir**](https://app.gitbook.com/o/hOqIsjXHa5XG12ypLZ9z/s/YfiZJNM9tM6hwcuBSR4G/)

**Writeup credit:** Gourav Suram

**Writeup link:** [**https://heapbytes.gitbook.io/notes/ctf-writeups/2023-ctfs/yctf-week-2-9-dec-23/web-security/confluence**](https://heapbytes.gitbook.io/notes/ctf-writeups/2023-ctfs/yctf-week-2-9-dec-23/web-security/confluence)

## 6. VM Writeup