CTFLEARN: POST Practice Writeup

July 2, 2022 CTF, Web Exploitation Comments Off on CTFLEARN: POST Practice Writeup

Prompt: This website requires authentication, via POST. However, it seems as if someone has defaced our site. Maybe there is still some way to authenticate? http://165.227.106.113/post.php

Based on the prompt we can assume that we are meant to use a POST request to extract data from the listed website. When it comes to authentication, POST requests are a great way to securely transmit data. They are commonly used on websites to send login credentials, such as usernames and passwords, to ensure the security of user data. However, it is possible for malicious actors to deface websites, rendering their login portals useless. This is where the Invoke-WebRequest command in PowerShell comes in handy. Running this command with no additional options produces the below output. 

PS C:\WINDOWS\system32> Invoke-WebRequest http://165.227.106.113/post.php


StatusCode        : 200
StatusDescription : OK
Content           : <h1>This site takes POST data that you have not submitted!</h1><!-- 
                    username: admin | password: 71urlkufpsdnlkadsf -->
RawContent        : HTTP/1.1 200 OK
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    Content-Type: text/html
                    Date: Sat, 02 Jul 2022 00:26:14 GMT
                    Server: nginx/1.4.6 (Ubuntu)
                    X-Powered-By: PHP/5.5.9-1ubuntu4.22
                    
                    ...
Forms             : {}
Headers           : {[Transfer-Encoding, chunked], [Connection, keep-alive], 
                    [Content-Type, text/html], [Date, Sat, 02 Jul 2022 00:26:14 GMT]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 118

This reveals that the username and password are present in the comments of the webpage. We can now form our post request to submit the username and password in our request. We start by assigning the credentials to a variable.

$data = 'username=admin&password=71urlkufpsdnlkadsf'

We can then send the below request and the flag is output in the response. 

PS C:\WINDOWS\system32> Invoke-WebRequest -Method Post -Body $data http://165.227.106.113/post.php


StatusCode        : 200
StatusDescription : OK
Content           : <h1>flag{p0st_d4t4_4ll_d4y}</h1>
RawContent        : HTTP/1.1 200 OK
                    Transfer-Encoding: chunked
                    Connection: keep-alive
                    Content-Type: text/html
                    Date: Sat, 02 Jul 2022 00:31:06 GMT
                    Server: nginx/1.4.6 (Ubuntu)
                    X-Powered-By: PHP/5.5.9-1ubuntu4.22
                    
                    ...
Forms             : {}
Headers           : {[Transfer-Encoding, chunked], [Connection, keep-alive], 
                    [Content-Type, text/html], [Date, Sat, 02 Jul 2022 00:31:06 GMT]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 32

Flag: flag{p0st_d4t4_4ll_d4y}

Key Takeaway: Command line tools such as Invoke-WebRequest or curl can be used to get valuable data from websites that may not be present on the webpage, such as comments and code. You can pass credentials which can provide privileged data.

Word Count: 388