Solutions to Puzzle #4 Web Vulnerabilities- Flags 7–9
Girls Go CyberStart is a fun series of cyber challenges where a curious mind and a willingness to try are your best tools. You don’t need any cybersecurity background to succeed! But if you like to warm up your cyber muscles before a race, these Practice Puzzles will give you a look at the types of challenges in GGCS along with tips and tricks to solving them. You could be solving challenges like these soon! Find out more and register here, competition play starts January 13.
Happy New Year! It’s time to tackle the more difficult flags posted on Puzzle #4. If you already solved one or all of these, pat yourself on the back — you are well on your way to rocking Girls Go CyberStart when Assess opens on January 13th!
Just want the solution and the flag? Below is a short text version but warning — these are a bit difficult to explain in a short text, the video is a better resource as it provides a short walkthrough of each solution
Flag #7 Hint: To get an admin message, go big in your script.
Solution: Rightclick anywhere on the page, then from the drop down menu select View Page Source. Looking at the top of the HTML code, you will find a developer comment that says
<!- - TODO: Expand user ID so that users have more UID than 25 before powerful users.>
Below that is a script in which the user id is set to 1 by default. It seems that a userid value over 25 will be for an admin user. In the script, copy /.netlify/functions/userid?uid=1, paste it to the end of the website URL and increase the number. Click enter and you will get Flag: Admin4M3!!!
Flag #8 Hint: This one will take an eye for the small detail + a touch of encoding
On the page the Escobar user has left a comment. He notes that he has a second account under the name Esc0bar — notice the one-character difference in names. Looking at the page source you will find:
<! — Comment loaded from /.netlify/functions/comment-load?postid=Y29tbWVudC11c2VyLUVzY29iYXI= . Admin posts restricted. >
The string after postid= is base64 encoding of the text “comment-user-Escobar”. You need to base64 encode the string “comment-user-Esc0bar” and substitute it after postid=. Then copy the entire string starting with /.netlify and add it to the end of the website URL. Click Enter and it will return the Flag: APIHax0r&123
[Note: If you had the right method but it wouldn’t work, we apologize for the frustration. There was a small problem with the source code that kept this solution from working. We fixed it by changing the function from “post=” to “postid=”]
Flag #9 Hint: Scripts can hide secrets, but can you make them function?
In the source code at the very top, there is secretflag.js link. Click on this to open up the code but you will find it is heavily obfuscated. However if you search for “secret” or you scroll way down to the bottom, you will find a reference to a suspicious function called “reveal_your_secrets”. On the Website, rightclick and select Inspect, then go to the Console tab. At the > prompt, type reveal_your_secrets() and click Enter to get the flag. Notice that the browser automatically beings to autocomplete the function, so browsing the list of functions in the browser developer tools would also work effectively. Flag: MasterOfFunctions()
