Skip to main content
  1. ctf-writeups/

DownUnder CTF (DUCTF) 2023

·2 mins
Table of Contents

Introduction #

  • Last weekend, I took part in the DownUnder CTF alongside my team Fr334ks-Mini and this is the write-up for the challenges that I solved.

1. Discord #

Category: Misc

Difficulty: Beginner

  • We are given a file message.txt.
  • We download the file and open it
  • We can see that the flag is made from picking the first letter of every word so our flag will be: DUCTF{REJECTHUMANITYRETURNTOOURSUPPORTQUEUE}

2. Static File Server #

Challenge Description #

challenge description

Accessing the Web Server #

  • On accessing the web server we are presented with the following web page
accessing the server
  • We can see that there is a hyperlink not_the_flag below the image in the page. It’s a good idea to have a look at it first and see where it takes us.
not the flag
  • Clicking on the link serves us with a .txt file that tells us that the real flag is at /flag.txt
    Attempting to access /flag.txt led me to a dead end with the error Not Found

Web Directory Listing #

  • Let’s see whether we can list the directories and files in the server. We can use curl command for that.

    curl

  • Attempting to access /files returns a 403: Forbidden and attempting to access /files/flag.txt returns a 404: Not Found.

  • Given the 403 Error let’s attempt a directory traversal and see whether the app is vulnerable.

Analysis Using Burp Suite #

  • sending /files/../../../../flag.txt payload … Guess what?! The reponse contains the flag :)
    payload

Conclusion #

  • I enjoyed solving this challenge! See you in the next blog :)