From 9d237b0447baa2e8c79c983bc05c91b5183f5247 Mon Sep 17 00:00:00 2001 From: Matthias Prader Date: Fri, 13 Dec 2019 15:45:46 +0000 Subject: [PATCH] Update asis19.md --- writeups/matthias/asis19.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/writeups/matthias/asis19.md b/writeups/matthias/asis19.md index a11319d..e90d76d 100644 --- a/writeups/matthias/asis19.md +++ b/writeups/matthias/asis19.md @@ -24,7 +24,7 @@ In the meantime we already could look at Protected Area 2, which pointed to a Gi `/read_file/?file=....//....//....///app/main.py&test=ha.txt` allowed us to read the content of the python file. By looking at the python files that are imported in the main file we found the protected endpoint `/protected_area_0098` which sends the flag back (in the file `/app/application/api.py`). But a `check_login` method is executed before. In a file imported by the `api.py`, the file `/api/application/functions.py` was the `check_login` method. The method looks for a header named `ah` and checks if its value is equal than a MD5 hash of some values located in a configfile. We found the config.py at `/app/config.py` so we had the values, could craft the correct header. `curl -H "ah: cbd54a3499ba0f4b221218af1958e281" http://66.172.33.148:8008/protected_area_0098` resulted in `ASIS{f70a0203d638a0c90a490ad46a94e394}` -##Web: Protected Area 2 (not solved) +## Web: Protected Area 2 (not solved) --- Protected Area 2 had exactly the same structure as Protected Area 2. The only defference in the pages sources was a hint to a file named `private.txt`. This file contained the link to the already mentioned Github repo. We could move between directories with `read_file` as in Protected Area 1. But this time the trick with adding another parameter to bypass the check if the file ends with `.txt` did not work. -- 2.43.0