Tags: web
Rating: 2.5
# ▼▼▼Env(Web:100、51/696=7.3%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
---
```
Einstein said, "time was relative, right?"
meme 1
meme 2
http://104.154.106.182:6060
Author: maskofmydisguise
```
---
```
GET / HTTP/1.1
Host: 104.154.106.182:6060
```
↓
```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 13:18:33 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 607
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="description" content="My super totally awesome blog">
<title>My super totally awesome blog</title>
<style>
#timing {
margin: 50px 200px;
height:400px;
width: 200px;
}
</style>
</head>
<body>
<div id="timing">
</div>
</body>
</html>
```
↓
nothing!!
---
## 【Confirm Hint】
meme1
↓
---
meme2
↓
---
## 【Try 1: /home】
When I accessed `/home`, it was the **same** response as `/`.
---
## 【Try 2: /whatsthetime/】 ★★★important★★★
```
GET /whatsthetime/ HTTP/1.1
Host: 104.154.106.182:6060
```
↓
404 response...
---
```
GET /whatsthetime HTTP/1.1
Host: 104.154.106.182:6060
```
↓
```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 13:30:31 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 359
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="description" content="My super totally awesome blog v1.0">
<title>Almost there...or are you?</title>
</head>
<body>
</body>
</html>
```
↓
`Almost there...or are you?`
↓
**The response has changed!!** ★★important★★
---
## 【Try 3: you】
---
### 3-1:Try it for parameters
```
GET /whatsthetime?you=test → Almost there...or are you?
GET /whatsthetime?YOU=test → Almost there...or are you?
```
↓
nothing....
---
### 3-2:Try it for path
```
GET /you →404
GET /homeyou →404
GET /youhome →404
GET /whatsthetime/you →404
```
↓
nothing....
---
## 【Try 4:other】
---
```
GET /whatsthetime?timewasrelativeright → Almost there...or are you?
GET /whatsthetime/timewasrelativeright → Almost there...or are you?
GET /whatsthetimetimewasrelative → Almost there...or are you?
GET /whatsthetimetimewasrelativeright → Almost there...or are you?
GET /whatsthetime?e=mc2 → Almost there...or are you?
GET /whatsthetime?time=relative → Almost there...or are you?
GET /timewasrelativeright → 404
GET /timewasrelativeright → 404
GET /timewasrelative → 404
GET /timeisrelative → 404
```
↓
nothing....
---
## 【Try 5: Guess the problem from timing】 ★★★important★★★
time , relative ,home , timing...
↓
I guess it would be better to send **the current time**
↓
The commonly used time in a PC is **Unixtime**
---
## 【Try 6: Investigate where to insert Unixtime】 ★★★important★★★
```
GET /whatsthetime/12 HTTP/1.1
Host: 104.154.106.182:6060
```
↓
```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 13:44:32 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 353
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="description" content="My super totally awesome blog v1.0">
<title>Timing is a bitch!</title>
</head>
<body>
</body>
</html>
```
↓
`Timing is a bitch!`
↓
The response has changed!!
---
## 【Try 7: Insert Unixtime at the current time】 ★★★important★★★
```
GET /whatsthetime/1554385615 HTTP/1.1
Host: 104.154.106.182:6060
```
↓
```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 13:46:55 GMT
Connection: close
Content-Type: application/json
Content-Length: 44
{"flag":"encryptCTF{v1rtualenvs_4re_c00l}"}
```
↓
`encryptCTF{v1rtualenvs_4re_c00l}`
## ★★important★★
They guess that they miss the combination of **ENV** and **shash shash** titles and problems...
**shash shash** → **/●●●/●●●**→**/whatsthetime/123** can be easily imagined!!
