$$ \text {An iCSI CTF (RED20)} $$

IP Address: 172.25.200.200

Port: 9038

image.png

Want to run this Docker container locally?

docker run -d -p 9038:80 --restart always --name flag-red20 joshbeck2024/ctf-ticktock-challenge-flag-red20

This time, The initial webpage is a login portal that allows us to register a new user. We are also given a hint that a list of example usernames can be found within an .html file on the server. (We’ll locate this list and utilize it later in the lab.)

Register a new user.

image.png

Go ahead and log in with this new user account and you’ll see that admins have the ability to upload files to this webserver. Unfortunately, lowly joe isn’t an admin!

image.png

Log out and log back in. Only this time, intercept the request in Burp Suite. (Let’s see what’s going on here!)

Click forward and you’ll see that we are redirected to upload.php upon successful login.

image.png

Some CLI text editors automatically create backup files any time a file is opened or edited. Emacs will append the tilde ~ to these backups, and there are times when it pays off to check whether they exist and were inadvertently left by the application developer.

Go to:

http://IP_ADDRESS_OF_VM/action.php~

Untitled