{"id":389,"date":"2015-07-31T00:42:46","date_gmt":"2015-07-30T22:42:46","guid":{"rendered":"https:\/\/0x90r00t.com\/?p=389"},"modified":"2015-08-29T13:43:39","modified_gmt":"2015-08-29T11:43:39","slug":"cybercamp-2015-web-4-write-up-fr","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2015\/07\/31\/cybercamp-2015-web-4-write-up-fr\/","title":{"rendered":"[Cybercamp 2015] [Web 4] Write Up"},"content":{"rendered":"

Description<\/h2>\n

On se retrouve devant une page web affichant une image comme quoi le hotlinking est interdit ou que l’image demand\u00e9e n’existe pas.<\/p><\/blockquote>\n

\"image.php\"<\/a><\/p>\n

Resolution<\/h2>\n

En observant les headers http lors du chargement de l’image, on se rend compte qu’il y en a un inhabituel, ‘Debug: –<\/strong>‘.
\nEn t\u00e2tonnant on s’est rendu compte qu’il contenait ‘–<\/strong><header http referer>’ , mais pourquoi ce tiret au d\u00e9part ?
\nDans la logique, on met comme referer http:\/\/challenge.cybercamp.es:8084\/gallery\/, car \u00e7a semble \u00eatre l’url de base de la galerie vu que quand on tente d’acc\u00e9der \u00e0 cette url, on obtient un message \u00ab\u00a0gallery not available\u00a0\u00bb.
\nEvidemment, \u00e7a aurait \u00e9t\u00e9 trop simple, mettre ce referer ne permet pas d’obtenir le flag.
\nApr\u00e8s avoir essay\u00e9 la quasi-totalit\u00e9 des headers existants, une petite id\u00e9e nous est venue : et si finalement il fallait passer quelque chose dans l’url ?
\nL’url de base est ‘gallery\/image.php?image<\/strong>=8123914′, pourtant 8123914 ne ressemble pas \u00e0 un nom d’image, l’argument ne serait-il finalement pas un id ?<\/p>\n

Charger l’url gallery\/image.php?id<\/strong>=8123914 avec, comme referer, http:\/\/challenge.cybercamp.es:8084\/gallery\/ nous a fait obtenir le flag.<\/p>\n

\"flag\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Description On se retrouve devant une page web affichant une image comme quoi le hotlinking est interdit ou que l’image demand\u00e9e n’existe pas.<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,35,36],"tags":[],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-2015-fr","category-ctf-fr","category-cybercamp-fr"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=389"}],"version-history":[{"count":9,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/389\/revisions"}],"predecessor-version":[{"id":712,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/389\/revisions\/712"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}