Labyrinth web challenge write-up

Hello hackers, this is the solution to the challenge I posted last night, thanks to all people who played the challenge!

Eddie Mora
4 min readSep 6, 2020

So the first step was to check the link of the challenge: http://192.171.20.103/Challenge1/

As you can see a simple page with some images from HxH anime, let's check the source code of the page!

Nothing interesting but this comment :

It's like talking about something like robot… Let's check the robots.txt file if exist

As expected here is the Robots.txt file and there is a special path inside lets check it together :

Its a login panel!

So basically any hacker will try random credentials, also some SQLI payloads, but in this case no one of this tricks will work, so let's check the cookies sessions generated after login as a guest

As you can see there is a cookie called ‘auth’ and its encrypted let's decrypt it

from URL encoding to txt it gives this: MTU5OTQyODU3ODpndWVzdA==

its base64 so from base64 to txt it gives this: 1599428578:guest

The trick here is to change the guest with admin and encode it to base64 and URL encoded format again then put it as the new cookie value and refresh!

here's the result after doing all this :

we are now admin, and we have some interesting stuff, some encoded strings

01000011 01010010 01001001 01010011 01001001 01010011 01000011 01010100 01000110 01111011 01001000 00110100 01101100 01100110 01011111 01001000 01110101 01101101 01100001 01101110 01011111 01000000 01011111
WW91IGdldCB0aGUgc2Vjb25kIHBhcnQgb2YgdGhlIGZsYWcgYWZ0ZXIgY29tcGxldGluZyB0aGUgbWlzc2lvbi4=
The mission starts from here 2767672168638012730821

let's decode the first one(binary)
the result is CRISISCTF{H4lf_Human_@_

It's like the first part of the flag! let's decode the base64 we already found to see what inside,
it says: You get the second part of the flag after completing the mission.
and as you can see there is a line says: The mission starts from here 2767672168638012730821

so what is this ‘2767672168638012730821’ ????

after some research based on the link of the challenge,you will understand that its a directory!
let's check it

Again another page with a message: This is a very very s3cur3 page…really…trust me :)

Let's check the source code again!

and we found another hint <! — there is a lot of resources you need to find the correct one! →
hmmm, a lot of resources !! it's like talking about some directories and files, lets run a directory brute force attack,
I will use the Dirsearch tool, it's fast and awesome =)

Link for the tool ‘https://github.com/maurosoria/dirsearch

Dirsearch says that config.txt exists let's check it!

Here is the content of the config file:

It's like the function responsible for calling the content of the flag.php file
Let's make a Get request with the fflllllaaaagg parameter and value equal to nginxisbadifpoorlyconfigured and see what it give
http://192.171.20.103/Challenge1/2767672168638012730821/index.php?fflllllaaaagg=nginxisbadifpoorlyconfigured

Good job: SDRsZmxhYWFnfQ==
It's Base64 again let's decode it!
it says: H4lflaaag}
and it's part 2 of the flag ^^
Final flag: CRISISCTF{#######}

--

--

Eddie Mora
Eddie Mora

Written by Eddie Mora

The best puzzles are not meant to be solved{fahdabida.com}

No responses yet