# HOMEWORK 3

## Challenge Cookies

I created a search algorithm, which analyzes the page **http://mercury.picoctf.net:54219/check** to check the value of each cookie, one by one, until it finds a flag

In [7]:
import requests
import re

# Expresión regular para buscar la flag de picoCTF
flag_pattern = re.compile('picoCTF{\S+}')

# Bucle para probar diferentes valores de cookies
for num in range(100):
    cookie_value = f'name={num}'
    custom_headers = {'Cookie': cookie_value}

    response = requests.get('http://mercury.picoctf.net:54219/check', headers=custom_headers)

    # Verifica si la respuesta es exitosa
    if response.ok:
        # Intenta encontrar la flag en el contenido de la respuesta
        flag_search = flag_pattern.search(response.text)
        if flag_search:
            print("Flag found:", flag_search.group())
            break
        else:
            print(f'Trial with cookie {num}: unsuccessful')


Trial with cookie 0: unsuccessful
Trial with cookie 1: unsuccessful
Trial with cookie 2: unsuccessful
Trial with cookie 3: unsuccessful
Trial with cookie 4: unsuccessful
Trial with cookie 5: unsuccessful
Trial with cookie 6: unsuccessful
Trial with cookie 7: unsuccessful
Trial with cookie 8: unsuccessful
Trial with cookie 9: unsuccessful
Trial with cookie 10: unsuccessful
Trial with cookie 11: unsuccessful
Trial with cookie 12: unsuccessful
Trial with cookie 13: unsuccessful
Trial with cookie 14: unsuccessful
Trial with cookie 15: unsuccessful
Trial with cookie 16: unsuccessful
Trial with cookie 17: unsuccessful
Flag found: picoCTF{3v3ry1_l0v3s_c00k135_96cdadfd}


#### Alternative Solution
Using Google Chrome extension "cookie-editor"

At http://mercury.picoctf.net:54219/ I checked the value of the cookie inserted, for example snickerdoodle had value 0

Then tried diferent values to reveal the flag, one by one

Value 18 was flag picoCTF{3v3ry1_l0v3s_c00k135_96cdadfd}


**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge Scavenger Hunt

The page http://mercury.picoctf.net:5080/ reveals that HTML, CSS, and JS were used to create it, so let's check the source code of the page.

In the HTML file, the first part of the flag is revealed --> **picoCTF{t**
<img src="Images/ScavengerHunt1.jpg" alt="" width="600" height="400">


In the CSS file, the second part of the flag is revealed --> **h4ts_4_l0**
<img src="Images/ScavengerHunt2.jpg" alt="" width="600" height="400">

In the JS file, a clue is revealed saying **How can I keep Google from indexing my website?**
<img src="Images/ScavengerHunt3.jpg" alt="" width="600" height="400">


The clue suggests checking the robots.txt file to understand how a website is managing the access of search engine crawlers like Google.

This can be revealed by replacing /myjs.js with /robots.txt in the URL.

It reveals the third part of the flag --> **t_0f_pl4c**

It also reveals a clue saying **# I think this is an apache server... can you Access the next flag?**

<img src="Images/ScavengerHunt4.jpg" alt="" width="600" height="400">


The clue suggests checking the .htaccess file because in Apache servers, this file is used to configure access and security rules at the directory level.

This can be revealed by replacing /robots.txt with /.htaccess in the URL.

It reveals the fourth part of the flag --> **3s_2_lO0k**

It also reveals another clue saying **# # I love making websites on my Mac, I can Store a lot of information there.**

<img src="Images/ScavengerHunt5.jpg" alt="" width="600" height="400">


The clue suggests checking .DS_Store files, which contain information about the configuration and content of folders.

This can be revealed by replacing /.htacess with /.DS_Store.

It reveals the fifth and final part of the flag --> **_35844447}**   

<img src="Images/ScavengerHunt6.jpg" alt="" width="600" height="400">


Complete Flag --> **picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_35844447}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge findme

From the "login" page:

http://saturn.picoctf.net:55455/login

We log in as instructed and are redirected to the "home" page:

http://saturn.picoctf.net:55455/home

Here we receive a clue about redirection, similar to a hint in picoCTF about redirection.

We proceed to open the web inspector and navigate to the network section to observe the redirection from logging in on the "login" page to the "home" page.

We notice that the transition from "login" to "home" also involves redirection through two additional pages:

http://saturn.picoctf.net:55455/next-page/id=cGljb0NURntwcm94aWVzX2Fs

http://saturn.picoctf.net:55455/next-page/id=bF90aGVfd2F5X2RmNDRjOTRjfQ==

<img src="Images/findme0.jpg" alt="" width="600" height="400">

Analyzing the two redirection pages more closely:

Page 1:
<img src="Images/findme1.jpg" alt="" width="600" height="400">

Page 2:
<img src="Images/findme2.jpg" alt="" width="600" height="400">

Notice that each page has an ID.

These IDs appear to be in Base64 format because one of them ends in '==', which is a characteristic that caught my attention. 

I proceed to decode the IDs and obtain the flag.

In [6]:
import base64

def decodificar_base64(id_base64):
    id_decodificado = base64.b64decode(id_base64).decode('utf-8')
    return id_decodificado

id1 = "cGljb0NURntwcm94aWVzX2Fs"
id2 = "bF90aGVfd2F5X2RmNDRjOTRjfQ=="

id1_decodificado = decodificar_base64(id1)
id2_decodificado = decodificar_base64(id2)

print("Complete Flag --> " + id1_decodificado + id2_decodificado)

Complete Flag --> picoCTF{proxies_all_the_way_df44c94c}


**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge Inspect HTML

This challenge was a giveaway.

As the hint and its name suggest, one should open the web inspector or view the HTML source code of the page.

And there it is, the flag is in a comment.

<img src="Images/inspectHtml0.jpg" alt="" width="600" height="400">

Complete Flag --> **picoCTF{1n5p3t0r_0f_h7ml_1fd8425b}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge It is my Birthday

To solve the exercise, I used the examples "poeMD5 A" and "poeMD5 B" found in the PDF collisions section on the GitHub page corkami/collisions. 

https://github.com/corkami/collisions#pdf


These were two distinct PDF documents that shared the same MD5 hash due to a precalculated MD5 hash collision. 

This meant I didn't need to make any further modifications to the files to fit the challenge.

Once I downloaded these files, I simply uploaded them to the website provided in the challenge. 

<img src="Images/itsmybirthday1.jpg" alt="" width="600" height="400">

Since both files met the key condition of having the same MD5 hash while being different, I was confident they would satisfy the challenge requirements. 

Upon their successful upload, I was able to complete the challenge and retrieve the solution.

<img src="Images/itsmybirthday2.jpg" alt="" width="600" height="400">

Complete Flag --> **picoCTF{c0ngr4ts_u_r_1nv1t3d_5c8c5ce2}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge Local Authority

The challenge recommends checking how the password verification is done.

To do this, we inspect the page.

We notice there is a PHP file.

<img src="Images/localAuthority1.jpg" alt="" width="600" height="400">

So when we log in with random information

<img src="Images/localAuthority2.jpg" alt="" width="600" height="400">

It redirects us to the PHP file and shows an error message.

<img src="Images/localAuthority3.jpg" alt="" width="600" height="400">

We can inspect this page for more information on how the password check works.

However, there is also a secure.js file which reveals the correct username and password.

<img src="Images/localAuthority4.jpg" alt="" width="600" height="400">

Returning to the main portal to log in with the correct username and password, it redirects us to the flag.

<img src="Images/localAuthority5.jpg" alt="" width="600" height="400">


Completed flag --> **picoCTF{j5_15_7r4n5p4r3n7_b0c2c9cb}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge login

I began by inspecting the source code of the page, where I noticed the index.js file, which would provide more information about the login.

<img src="Images/login1.jpg" alt="" width="600" height="400">

Inside the index.js, there is a JavaScript function: 

<img src="Images/login2.jpg" alt="" width="600" height="400">

**(async () => {
    await new Promise((e => window.addEventListener("load", e))), document.querySelector("form").addEventListener("submit", (e => {
        e.preventDefault();
        const r = {
                u: "input[name=username]",
                p: "input[name=password]"
            },
            t = {};
        for (const e in r) t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, "");
        return "YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(t.p)}.`)
    }))
})();**

This function acts as an event handler for a web form. It prevents the default behavior when the form is submitted, captures and encodes the username and password values in base-64 using btoa(), and compares them with predefined values. If they don't match, it displays alerts. If they match, it decodes the password and displays the flag. 

Having access to this function allowed me to identify which values I needed to decode from base-64 to obtain the flag, as the encoded values were explicitly present in the code.

In [20]:
import base64

def decodificar_base64(id_base64):
    # Asegurarse de que la cadena sea un múltiplo de 4
    while len(id_base64) % 4 != 0:
        id_base64 += "="
    id_decodificado = base64.b64decode(id_base64).decode('utf-8')
    return id_decodificado

id1 = "YWRtaW4"
id2 = "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ"

id1_decodificado = decodificar_base64(id1)
id2_decodificado = decodificar_base64(id2)

print(id1_decodificado)
print(id2_decodificado)


admin
picoCTF{53rv3r_53rv3r_53rv3r_53rv3r_53rv3r}


**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge logon

I started by entering random values to sign in on the challenge page.

<img src="Images/logon1.jpg" alt="" width="600" height="400">

I was redirected to the /flag page which mentioned that I logged in but there was no flag for me.

<img src="Images/logon2.jpg" alt="" width="600" height="400">

I inspected this page to find out what was happening. After much searching, in the network section under the /flag page, I found in the page's cookie that admin was set to false and needed to be changed to true.

<img src="Images/logon3.jpg" alt="" width="600" height="400">

To do this, I went to the Applications section of the page, looked for the cookies section, selected the domain, and changed the admin value to true.

<img src="Images/logon4.jpg" alt="" width="600" height="400">

I reloaded the page, and there it was, I got the flag.

<img src="Images/logon5.jpg" alt="" width="600" height="400">


Completed flag --> **picoCTF{th3_c0nsp1r4cy_l1v3s_6edb3f5f}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge Search source

After spending a lot of time looking for clues or anything, I realized that there is too much code to go through.

I decided to mirror the website on my local machine so I could use more powerful tools for searching.


From my terminal, I execute the command **> wget -r http://saturn.picoctf.net:59405/** to download all the files from the webpage onto my local machine.

<img src="Images/searchSource1.jpg" alt="" width="600" height="400">

Then, in the terminal, I navigate to the folder containing the downloaded webpage files and proceed to search for the flag using the command **findstr /s /i "pico" ***, this will search for the string "pico" in all files in the folder and its subfolders.

The flag was found and it also tolds us where it was hidden.

<img src="Images/searchSource2.jpg" alt="" width="600" height="400">

Completed flag --> **picoCTF{1nsp3ti0n_0f_w3bpag3s_8de925a7}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**

## Challenge where are the robots

As the name of the challenge and the message of the page suggest, "where are the robots".

<img src="Images/whererobots0.jpg" alt="" width="300" height="200">

The clue suggests checking the robots.txt file, for this we add /robots.txt in the url

<img src="Images/whererobots1.jpg" alt="" width="600" height="400">

Here we realize What part of the website the creator doesn't want us to look at.

This can be revealed by replacing /robots.txt with /8028f.html in the URL.

<img src="Images/whererobots2.jpg" alt="" width="600" height="400">

Confirming that we found the robots and revealing the flag.

Completed flag --> **picoCTF{ca1cu1at1ng_Mach1n3s_8028f}**

**------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------**