RITSEC CTF Web Write-ups

Challenges: Sessions, Dababy web

1.Sessions:

Let’s start by reading the source code,

Looks like the admin forgot to remove the login credentials,

The session cookie of the site looks like a Base64 encoded text since the challenge name is sessions it is worth decoding the ciphertext.

2. Dababy Web:

Again let’s start by reading the source code,

Hmmm…..

fun1.php?file=suge

looks like a Local File Inclusion, Learn more about LFI here:
https://medium.com/dsc-sastra-deemed-to-be-university/pwning-php-websites-rfi-lfi-5f28e6c31b4a

Requesting Flag file:

fun1.php?file=../flag.txt

BOOM!!! here we go

Спасибо :) — Mudhalai Mr Team Infinity