Pintu CTF 2024
type
status
date
slug
summary
tags
category
icon
password
Importance
Tweet
Pintu CTF 20241. Welcome - 102. Path to the Flag - 1002.1 Journey 2.2 TLDR - Directory Traversal 3. IP Checker - Username - 1003.1 Journey 3.2 Solution 3.3 TLDR - .git Exposure Vulnerability4. IP Checker - Password - 1004.1 Journey5. Login - 1006. Juicy Injection - Squeeze the Query - 2006.1 Journey
Pintu CTF 2024
This is my first time participating in a CTF (short for “Capture the flag”). I never knew it could be so much fun! Got to give a huge thanks to the Pintu’s cybersecurity team for the exposure and introduction!
Readers’ guide
Every primary header after this was a challenge. Each challenge writings are divided into 3 sub headers:
- Journey — Just some blabbering on how I arrived at the solution, and of course I did not talk about the little
crazy amount of googlingweb searches I did
- Solution — some shell commands, code used to solve the challenge
- TLDR — Well if you want to skip to what the challenge is actually about, the sauce and maybe some of my thoughts
1. Welcome - 10
Excerpt
Welcome to Pintu CTF - Genesis Edition (The Beginning)A terminal screen flickers to life with a simple challenge: "What is the MD5 hash of the word 'admin'?Prove your readiness by submitting the answer in the format:
This challenge was simple just to make sure the audience is at the right place. Merely asking for a md5 hash of a word, easily achievable with online tools.
2. Path to the Flag - 100
2.1 Journey
Excerpt
You’ve stumbled upon a mysterious server that holds the key to the challenge. A cryptic message reveals that the flag is hidden inside/home/flag.txt. However, direct access seems impossible, and the application’sfileparameter might be the only way in.Can you exploit the path to uncover the flag?
A url links to server which returns the following message
At first i just tried
http://hostname?file=/home/flag.txt , can’t be that easy right? I got 
Recalling what i read before starting this challenge about directory traversal → https://ctf101.org/web-exploitation/directory-traversal/what-is-directory-traversal/
Tried
http://hostname?file=../../home/flag.txt . Voila!2.2 TLDR - Directory Traversal
Best explained in CTF101 Handbook
This vulnerability can happen in any application that uses user input in directory path. This could be common with any form of file access or even traversing in s3 buckets. A team could want to save a database query and uses user input to directly navigate to the file — without sanitising the inputs user could navigate the file storage.
3. IP Checker - Username - 100
3.1 Journey
Excerpt
Alex was conducting information gathering on the IP Checker challenge when he discovered that solving it would require a username at some point.
From past experience, Alex knew that developers sometimes fail to deploy applications securely, which can inadvertently expose the source code.
Your goal is to find the hidden username.
This challenge provides a url that links to this web app. It does not really do anything and it is buggy.
I had to reveal the hint to move on… as I really didn’t know what to do.
Merge and Conflict :D , the tools has default hidden directory. Can you dump and read the username?
With this hint I immediately tried
http://hostname/.git and it revealed the following directory listing.
Downloading the
.git folder and running git status showed us that there are local changes to delete username.go.bak we just had to do a git checkout to revert the delete and job done!
3.2 Solution
wget -mpEk -np robots=off --random-waithttp://100.109.132.8:9494/.git
cd 100.109.132.8:9494 && git checkout .
- There is a file
username.go.bakand rename the file by removing.bak
- Just have to add the following lines
go run username.go
3.3 TLDR - .git Exposure Vulnerability
This is a case of deploying
.git folder along with the web app. With the .git folder we could have the entire history of the source code, depending on the clone depth. I found this guy who does scans for exposed .git on websites on a global scale (https://smitka.me/open-git/). They also shared ways to prevent. 4. IP Checker - Password - 100
4.1 Journey
Excerpt
Alex was conducting information gathering on the IP Checker challenge when he discovered that solving it would require a password at some point.From past experience, Alex knew that developers sometimes fail to deploy applications securely, which can inadvertently expose the source code.At first glance, Alex didn't notice anything unusual about the application. However, he soon realized that the things related to the image hold valuable information.Unfortunately the valueable information can't be read. Can you read the password?
The image was hosted on a s3 bucket → https://ptu-ctf.s3.ap-southeast-1.amazonaws.com/pintu-banner.jpg . Accessing https://ptu-ctf.s3.ap-southeast-1.amazonaws.com/ revealed a list of items hosted on the s3 bucket.
One of them is
password.txtTODO: Not completed
5. Login - 100
6. Juicy Injection - Squeeze the Query - 200
6.1 Journey
Excerpt
Welcome to the Juice Market, where every juice bottle is identified by a unique ID. However, a critical flaw in the/juice/:idendpoint allows an attacker to manipulate the database through unsanitized user input. To make matters worse, the/pingendpoint shows the server is alive, providing an extra clue.Your task:Exploit the vulnerability in the query, retrieve the secret flag hidden in the database, and show the Juice Market who's boss!