MetaCTF Challenges Notebook
Note: This is a continuously evolving page containing all challenges I've solved in the MetaCTF practice environment. I've arranged them in alphabetical order for your convenience. I also personally suggest you try your hand at each challenge before taking a look at my methodology. You might be surprised at your own abilities 😉.
Anonymoose
Category: Forensics
Attack
Well to be fair this wasn't much of an attack. You are provided a PDF file to find the flag/name of the artist. The easiest way to do this is to open it in your browser and open properties. The flag will be found under the Author field.
Alternatively, you can download and use the tool exiftool , which is more commonly used in forensics to get the flag.
Defense
This was a case of OPSEC failure. OPSEC (Operational Security) is a concept where an organisation or individual carry out processes to ensure actionable intelligence is not gathered about them while carrying out day-to-day activities.
For example, certain companies don't like employees posting pictures with their ID cards on social media. Why? It could inadvertently be used by attackers for a social engineering attack on other employees. Worse off, a cybercriminal could straight up make a fake ID card to bypass security in the physical building.
Our artist friend here requires anonymity but his open letter could've kicked that out the window. To avoid this (or similar situations), double check file metadata before sending it out.
Cracking The Javashop
Category: Web Exploitation
Attack
A login page that uses a 4-digit code has been supplied and you are to 'guess' the code. Going through over 500 possible combinations is out of the question. View the page source and you should find the gold doubloons you seek.
Defence
This was a case of Client-Side credential leak. The pass code was right there in the HTML code! In this particular case, you want to avoid hardcoded credentials in your codebase. You can use something like Snyk to scan and identify such things before deployment.
Disclaimer: I'm not affiliated with Snyk in anyway. I just think it's a cool product.
Direct Login
Category: Web Exploitation
Attack
A login page is supplied and the goal is to get the flag by logging in. View the page source and you will find that authentication is carried out via a script on the client side (Yikes! 😳). Moreover, it contains the direct reference to the page with the flag.
To get the flag, simply append the reference and head to the site. It should look something like 'em.......php'. If you want to feel more like a 'hacker', use burpsuite to repeat the request but remove the section that checks for incorrect credentials.
Defence
Client-Side authentication is when the developer trusts the users enough to have the padlock and keys to the kingdom. What could go wrong?
Hint: Plenty.
Client-Side authentication is insecure by design as it allows a curious user to bypass authentication easily if they understand code. The best way to avoid this is to ensure all authentication is done server-side. Additionally, avoid exposing hidden features in frontend code as exemplified here.
