RITSEC CTF Web Write-ups
Apr 12, 2021
Challenges: Sessions, Dababy web
1.Sessions:
Let’s start by reading the source code,
Looks like the admin forgot to remove the login credentials,
The session cookie of the site looks like a Base64 encoded text since the challenge name is sessions it is worth decoding the ciphertext.
2. Dababy Web:
Again let’s start by reading the source code,
Hmmm…..
fun1.php?file=suge
looks like a Local File Inclusion, Learn more about LFI here:
https://medium.com/dsc-sastra-deemed-to-be-university/pwning-php-websites-rfi-lfi-5f28e6c31b4a
Requesting Flag file:
fun1.php?file=../flag.txt
BOOM!!! here we go