byte-road-challenge.gohtml (5060B)
1 {{ define "sub-content" }} 2 {{ if .Data.FlagFound }} 3 You found the flag 4 {{ else if .Data.Registered }} 5 You have been registered successfully.<br /> 6 <a href="/vip/challenges/byte-road">Back to home page</a> 7 {{ else if not .Data.CaptchaSolved }} 8 <p> 9 This is an exploit that I encountered in the wild.<br /> 10 Someone showed up on BHC (Black Hat Chat) and started advertising his new "marketplace website" he called "ByteRoad".<br /> 11 The first thing I noticed while visiting the website was the captcha was using a question in cleartext ie: "What is 10 + 46 ?".<br /> 12 So I told them the captcha was useless and would only slow down humans.<br /> 13 To which they replied that I knew nothing and that it was obviously very secure.<br /> 14 So 30min later, they realized how popular their website was getting, with tens of thousands of new users registration.<br /> 15 They had to turn off the website for a little while, and then came back with a real captcha which was hard for the bots as well.<br /> 16 Then again, challenged me to try to mess with their website.<br /> 17 So after looking around their quickly put together new captcha system, I found an exploit and was able to, again, create tens of thousands of new users on their website.<br /> 18 They then shutdown the website forever.<br /> 19 <br /> 20 In this CTF challenge, I reproduced the vulnerability that was on their website.<br /> 21 Your goal is to find the exploit and use it to create 100 accounts within 5 minutes.<br /> 22 </p> 23 <p> 24 The registration is a 2 steps process, you need to first solve a captcha, once the captcha is solved, you can register an account. 25 </p> 26 <p> 27 You have registered <b>{{ .Data.NbAccountsRegistered }}</b> in the last 5 minutes. ({{ if .Data.SessionExp }}Session time remaining: {{ .Data.SessionExp | shortDur }}{{ else }}no session{{ end }}) 28 </p> 29 <form autocomplete="on" method="post"> 30 <input type="hidden" name="csrf" value="{{ .CSRF }}" /> 31 <input type="hidden" name="formName" value="captcha" /> 32 <input type="hidden" name="captcha_id" value="{{ .Data.CaptchaID }}" /> 33 <fieldset> 34 <div class="row"> 35 <div class="center-block"> 36 </div> 37 </div> 38 <div class="row"> 39 <div> 40 <div class="form-group"> 41 <div class="mb-2 text-center"> 42 <img src="data:image/png;base64,{{ .Data.CaptchaImg }}" alt="captcha" style="background-color: hsl(0, 0%, 90%);" /> 43 </div> 44 <input class="form-control{{ if .Data.ErrCaptcha }} is-invalid{{ end }}" placeholder="{{ t "Captcha" . }}" name="captcha" type="text" value="{{ .Data.Captcha }}" maxlength="6" required autocomplete="off" /> 45 {{ if .Data.ErrCaptcha }}<div class="invalid-feedback d-block">{{ .Data.ErrCaptcha }}</div>{{ end }} 46 </div> 47 <div class="form-group"> 48 <input type="submit" class="btn btn-lg btn-primary btn-block" value="Continue" /> 49 </div> 50 </div> 51 </div> 52 </fieldset> 53 </form> 54 {{ else }} 55 <h1>Register an account</h1> 56 <form autocomplete="off" method="post"> 57 <input type="hidden" name="csrf" value="{{ .CSRF }}" /> 58 <input type="hidden" name="formName" value="register" /> 59 <fieldset> 60 <div class="row"> 61 <div class="center-block"> 62 {{ if .Data.ErrRegistration }} 63 <div class="alert alert-danger"> 64 {{ .Data.ErrRegistration }} 65 </div> 66 {{ end }} 67 </div> 68 </div> 69 <div class="row"> 70 <div> 71 <div class="form-group" style="width: 300px;"> 72 <input class="form-control" placeholder="{{ t "Username (3-10 charaters)" . }}" name="username" type="text" value="{{ .Data.Username }}" autofocus required /> 73 </div> 74 <div class="form-group"> 75 <input class="form-control" placeholder="{{ t "Password (3-10 charaters)" . }}" name="password" type="password" value="{{ .Data.Password }}" required /> 76 </div> 77 <div class="form-group"> 78 <input type="submit" class="btn btn-lg btn-primary btn-block" value="Register" /> 79 </div> 80 </div> 81 </div> 82 </fieldset> 83 </form> 84 {{ end }} 85 {{ end }}