Level 3 Finally we get to level 3. Here’s the setup:
After the fiasco back in Level 0, management has decided to fortify the Secret Safe into an unbreakable solution (kind of like Unbreakable Linux). The resulting product is Secret Vault, which is so secure that it requires human intervention to add new secrets. A beta version has launched with some interesting secrets (including the password to access Level 4) Here’s the code for the server (Python finally!
Level 2 In level 2, we’re faced with a PHP app that allows you to upload a “profile picture”. The password to level 3 is contained in a “password.txt” file of the document root, as revealed in line 49. Of course, you won’t be able to click on the link and get the file. The directory is protected, and we have to somehow exploit the code.
Reading through the code, it’s a clear that whatever file uploaded to the server will be under uploads/, and the file is publicly accessible through <base>/uploads/<your_file_name>, as seen on line 37.
Level 1 Now we get to level 1. We are presented with a simple web form with the PHP code powering it.
The PHP script checks if the input combination matches the combination in ‘secret-combination.txt’ file, and present the user with the password to the next level if the combinations match. Obviously, we’re not going to guess the combination.
There are a few ‘handy’ methods in PHP that are extremely dangerous.
Stripe just finished running a second “capture the flag” challenge. They ran a similar challenge this February and was more focused on system level. This time, it’s full-on web security.
In the next few posts, I’m going to discuss the problems in the challenge, how I solved them and what did I learn from from each challenge.
Problem 0 Here are the code for level 0:
So you have a node.