The server expects two values (one and two) passed in as a JSON array.

It appends a secret to the start of both of these and runs them through a custom hashing function.

If the result is equal, we get the flag. However, our input is compared with the === operator, and if they match our input is rejected.

As this is a web challenge, not a crypto one, I realized the target was not the hashing function.

After some playing around, I found that ['a'] === ['a'] returns false, likely because the arrays are two different objects in memory.

We send to the server:

and the flag is returned.

ractf{Y0u_R_ab0uT_2_h4Ck_t1Me__4re_u_sur3?}

If we log in with the credentials from Entrypoint, we can see a list of users.

One of these is called "loginToGetFlag", so we'll try to log into this one.

We get a SQL error if we put a ' so we can try SQL Injection payloads.

We can use the payload:

loginToGetFlag' --

to log into this user - and we get the flag.

Flag: ractf{injectingSQLLikeNobody'sBusiness}

We can see in HTML comments of the web page:

<!-- In case I forget: Backup password is at ./backup.txt -->

However we get a 403 Forbidden if we try to access this file with /backup.txt

We can see that the CSS file is included with href="/static?f=index.css"

So if we go to /static?f=backup.txt, we get the credentials for the develop user.

Flag: ractf{developerBackupCode4321}

We are presented with a login page. As this was a low-rated challenge, I began by testing basic SQLi.

Entering ' or 1=1; -- - in the username field returned the message 'You are trying to login as multiple users'.

From this, I determined that the injection was sucessful, but as this query returned multiple users the web app was rejecting it.

I simply edited the payload to be ' or 1=1 limit 1; -- -, and I got access

ractf{Y0u_B3tt3r_N0t_h4v3_us3d_sqlm4p}

Earlier on, I noticed the path /__adminPortal in an undefined response header.

Now with admin access, I decided to visit it.

It gave us some nice ASCII art, but in a hidden <p> there was some Zalgo'd text.

Using a Zalgo Remover , I retrieved the original text: Lorem Ipsum, but hidden inside:

ractf{h1dd3n1npl4n3s1ght}

This is the same principle as Baiting. This time we need to log into the admin user.

From the list of users we found with the devloper credentials, jimmyTehAdmin is the account we need to log in to.

We can use a similar payload to before (this challenge is more resitant to SQLMap)

' OR username='jimmyTehAdmin' --

Flag: ractf{!!!4dm1n4buse!!!}

/robots.txt points to /admin-stash

ractf{1m_n0t_4_r0b0T}

We are given the name of the source code file app.py, and we need to find a way to read it.

We already have access to the admin section of the site from the previous challenge.

We are given links to three available videos that we can watch.

These all follow the format /watch/XXXX.mp4.

We are told the name of the file we need to read is called app.py

So we can try /watch/app.py.

In the source code of the page, we can see:

data:video/mp4;base64,ractf{qu3ry5tr1ng_m4n1pul4ti0n}

Flag: ractf{qu3ry5tr1ng_m4n1pul4ti0n}

The next stage of the Quarantine series.

I noticed that our session cookie was a JWT, signed with HS256.

A vulnerability exists where these tokens can have their signing algorithm set to 'none' and their signature removed, and the web app will accept and process it.

I used the highly useful jwt_tool to resign it, editing my 'privilege' value from '1' to '10'.

This allowed me access to the admin panel (more of a single page).

ractf{j4va5cr1pt_w3b_t0ken}

Same concept as Entrypoint, but a different file.

We are told that it is running on a Python server,

so we can try to include common python web app filenames, such as app.py and main.py.

If we use the same method as Entrypoint and go to /static?f=main.py, and we get the flag.

Flag: ractf{d3velopersM4keM1stake5}