TJCTF2020 - Sarah Palin Fanpage

Posted on mar. 02 juin 2020 in CTF

solves : 505

Points: 35 

Written by jpes707

Are you a true fan of Alaska's most famous governor? Visit the Sarah Palin fanpage.

sarahpalinfanpage_homepage.png

sarahpalinfanpage_blocked.png

So, we need to have the all likes but can't get more that 4 on the website. We can detect as spam. The source code doesn't help to bypass hit. But, the likes seems stored somewhere. The basic place is within a cookie.

We found one, data, but seems encoded.

╰─ printf "eyIxIjpmYWxzZSwiMiI6ZmFsc2UsIjMiOmZhbHNlLCI0IjpmYWxzZSwiNSI6ZmFsc2UsIjYiOnRydWUsIjciOnRydWUsIjgiOnRydWUsIjkiOnRydWUsIjEwIjp0cnVlfQ==" | base64 -d
{"1":false,"2":false,"3":false,"4":false,"5":false,"6":true,"7":true,"8":true,"9":true,"10":true}

We can edit it back with all value from false to true and put it back to the browser:

╰─ printf '{"1":true,"2":true,"3":true,"4":true,"5":true,"6":true,"7":true,"8":true,"9":true,"10":true}' | base64
eyIxIjp0cnVlLCIyIjp0cnVlLCIzIjp0cnVlLCI0Ijp0cnVlLCI1Ijp0cnVlLCI2Ijp0cnVlLCI3Ijp0cnVlLCI4Ijp0cnVlLCI5Ijp0cnVlLCIxMCI6dHJ1ZX0=

sarahpalinfanpage_flag.png

hack learn ctf tjctf 2020 web js crackstation md5