TJCTF2020 - Sarah Palin Fanpage
Posted on mar. 02 juin 2020 in CTF
solves : 505
Points: 35
Written by jpes707
Are you a true fan of Alaska's most famous governor? Visit the Sarah Palin fanpage.
So, we need to have the all likes but can't get more that 4 on the website. We can detect as spam. The source code doesn't help to bypass hit. But, the likes seems stored somewhere. The basic place is within a cookie.
We found one, data
, but seems encoded.
╰─ printf "eyIxIjpmYWxzZSwiMiI6ZmFsc2UsIjMiOmZhbHNlLCI0IjpmYWxzZSwiNSI6ZmFsc2UsIjYiOnRydWUsIjciOnRydWUsIjgiOnRydWUsIjkiOnRydWUsIjEwIjp0cnVlfQ==" | base64 -d
{"1":false,"2":false,"3":false,"4":false,"5":false,"6":true,"7":true,"8":true,"9":true,"10":true}
We can edit it back with all value from false
to true
and put it back to the browser:
╰─ printf '{"1":true,"2":true,"3":true,"4":true,"5":true,"6":true,"7":true,"8":true,"9":true,"10":true}' | base64
eyIxIjp0cnVlLCIyIjp0cnVlLCIzIjp0cnVlLCI0Ijp0cnVlLCI1Ijp0cnVlLCI2Ijp0cnVlLCI3Ijp0cnVlLCI4Ijp0cnVlLCI5Ijp0cnVlLCIxMCI6dHJ1ZX0=