Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

1 minute read

Challenge: The elf developers looked at their mistakes and have decided to make a new login page for Santa. They’ve used some fancy new technologies, maybe that will save them. https://dancer.bsidesljubljana.si/

Oh boy, another web app. Lets look at the headers. It says: X-Powered-By: Express Ok, I will not do the same mistake again, lets try some obvious options. Enter some garbage, post something empty, post without fields…

I was reading about exploits where unsanatized input could result in a Buffer object, that has lefovers of stack data in it… But in the end it was much simpler. If the right combination was posted (the page is down now and I cannot check) you got back a page that read:

You have to dig deeper!

If you looked at the HTML source, there was the flag in a hidden <p> tag.

Flag: xmas{rUnn1nG0uT0fChr1stm4Ss0ngz}

What did I learn: It’s not about hardocde exploits!

Recent posts

See more

Categories

About