Bluehat CTF — MatrixBrowser

I had the chance to play the Bluehat CTF this year made by Jonathan Bar Or. This blog will discuss the way I solved the web challenge MATRIXBROWSER. I’ve written up some other challenges here.

To solve this challenge we needed to get access to the MatrixBroswer page. When you tried to visit the page in a browser, you got the error message below:

So the server will only respond if you’re using the “MatrixBrowser” version 1.0. How would the server know what browser I’m using? the use agent string! I was using burp proxy so I modified the “User-Agent” head to the value “MatrixBrowser v1.0” and received a new error message

Refer here refers to the Referer header (note that the header is spelled “referer” not “referrer”). I added the referrer header to the request and was returned the key!

I’ve written up some other challenges here: https://medium.com/@jpg.inc.au/bluehat-2018-ctf-ef63c48c3a7a