Touch Grass

Description

Touch-Grass [Web]

ARIA has ordered you to touch grass. Now you actually have to do it. Make up for all the times you havent touched it.

https://uscybercombine-touch-grass.chals.io/

Solution

On /login we have a sign in/up page:

Creds: test01:test01

Touch Grass-1

All links are javascript:void(0), but in the source we see:

       <h4 style="color:red">!Important!</h4>
        <p>The following is your grass touch counter. You need over 100000 to successfully make up for the times you havent touched grass.</p>
        <h4>Touch Count: 0</h4>
        <!-- Put clickable image of grass here. Need javascript to send POST when clicked-->
        <!-- New click API at /api/click, remove the admin version ASAP -->

Playing with API:

Send json:

Send username:

After some guessing:

I thought this might have been SQLi, but after few attempts I gave up. Then I noticed login in through API, but we have 2 apis.

Create new user though admin api:

Make request:

Get all the touches you need:

Profit:

Flag: SIVBGR{T0uch_1t}