Hitcon CTF 2016 Quals - Writeup Angry Seam

Posted on Mon 10 October 2016 in writeups

Web (500 pts)

The first page we can see is a login page. Hanging around a little, we can list a few interesting pages : - The css.seam page take a filename as parameter. - The logout button take a parameter that corresponds to "view:object.method" format. - The report.seam page permits to send a URL to the administrator, but only URL that is intern to the application.

N|Solid

With the css.seam page, we can list directories and files at the root of the application :

http://52.198.197.227:8080/angryseam/css.seam?location=../../../

N|Solid

Reading the WEB-INF/pages.xml, we can view that there is a flag.xhtml, and we can deduce there is a flag.seam too. However, we saw that we must be admin to access it.

http://52.198.197.227:8080/angryseam/css.seam?location=../../../WEB-INF/pages.xml

N|Solid

The first thing I tried, with little hope, was to play with the session. Logged in as lambda user, I tried to go on register.seam and register with "admin" username.

N|Solid

Error message, the user is existing. But... it changed my session, and I'm logged in as admin now! I can browse the flag.seam as admin, and tada!, the flag.

N|Solid

I'm pretty sure this wasn't the intended way to solve this. But... I think it was the easiest way to do it! :)

Blaklis from Fourchette-Bombe