MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

Layment Portal

by sealldev
đźš© CTFs SecEdu CTF 2024 misc
Layment Portal / SecEdu CTF 2024
Layment Portal

Description

There is something else they want to quickly test -- a portal where the employees enter their hours. They're worried that Layton may have also tricked the system somehow, and recieved more pay than they had wanted to give out. Automation for this company is a bane..

nc chals.secedu.site 5005
Hint: Who might have access to this employee portal?

Original Writeup on seall.dev

When connecting to the instance, we are given this:

$ nc chals.secedu.site 5005
New session started
LOGIN >

Thinking of some usernames from earlier, I think of Layton! We try:

layton
Layton
laypay
lpayden
laytonpayden
layton_payden
LaytonPayden
LPayden

But, its LAYTON that opens the puzzle, great…

$ nc chals.secedu.site 5005
New session started
LOGIN > LAYTON
Welcome. You may "add" hours to your worksheet here

We can add hours, ok!

> add
You have added an hour. You are now on 4 hours.

If we keep entering add we hit the following: Too many hours entered (35 is the max). Resetting to zero.

OK, let’s open two instances and try to exploit a potential race-condition, we work it up to 35 and then enter two add’s:

> add
You have added an hour. You are now on 37 hours.
SECEDU{st0l3n_funds_h3r3}

Flag: SECEDU{st0l3n_funds_h3r3}

Related Writeups

RWX Bronze

We give you file read, file write and code execution. But can you get the flag? Let's start out gently. NOTE: If you ge ...

RWX Silver

We give you file read, file write and code execution. But can you get the flag? Apparently that was too much!

Mafia at the End of the Block 1

You're an agent, your unit recently intercepted a mob discussion about an event that's going to take place on August 8, ...

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub