Tags: web http headers
Rating:
First sent a request to the given URL and checked the headers. In the headers I found an interesting redirect to /secret-site?secretcode=5770011ff65738feaf0c1d009caffb035651bb8a7e16799a433a301c0756003a
Then I sent a request to the redirect URL and checked the headers. Found a cookie with name `"time"` being set.
I started playing with it and realised the server response in just the value of "time" cookie subtracted from server time (starting from a specific value). The first thing in my mind came up to check if I can input negative time values and it worked. Now I just had to find what to input so as to make it eternity. After various tries("-eternity", -1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 and some more). I finally got the flag on setting `"time=-infintity"`.
Thus got the flag `amateursCTF{im_g0iNg_2_s13Ep_foR_a_looo0ooO0oOooooOng_t1M3}`
Another finding I did while playing around was that the secret code (5770011ff65738feaf0c1d009caffb035651bb8a7e16799a433a301c0756003a) is 'amateurs' encrpyted with SHA-256 (used https://www.dcode.fr/en for this) and any other secret code would lead to 'you don't have the secret code' message.
