The question was like following:
Normal, regular cats are so 2000 and late, I decided to buy this allegedly smart tomcat robot Now the damn thing has attacked me and flew away. I can't even seem to track it down on the broken search interface... Can you help me ?
Search interface
First, in page source, the lattitue (X) and longitude (Y) parameters are posted like following
...
var cat_coords = 'http://localhost:8080/index.jsp?x=' + parseFloat($('#xcoord').val()) + '&y=' + parseFloat($('#ycoord').val());
var $form = $(this);
var $inputs = $form.find('input, select, button, textarea');
$inputs.prop('disabled', true);
request = $.ajax({
url: '/index.php',
type: 'post',
success: function(data) {
markers.clearMarkers();
while(map.popups.length) {map.removePopup(map.popups[0]);}
var y = parseFloat($('#ycoord').val());
var x = parseFloat($('#xcoord').val());
if (isNaN(y) || isNaN(x)) {y = 15.2833; x = -4.2667;}
lonlat = new OpenLayers.LonLat(y,x).transform(new OpenLayers.Projection("EPSG:4326"),map.getProjectionObject());
center_marker = new OpenLayers.Marker(lonlat);
markers.addMarker(center_marker);
popup = new OpenLayers.Popup.FramedCloud("popup",
lonlat,
null,
data, null,
true);
map.addPopup(popup);
map.setCenter(lonlat,zoom);
},
data: {
u: cat_coords
}
...
Next, I sent the request to Repeater and get the following response.
In parameter, the X and Y parameters are sent with GET request to the local server on port 8080.
When I tried to send request without parameters I get the following response.
I only can send requests to the local server with X and Y included.
Then, I looked for web contents in the local server and I found something interesting.
Whoa! The smart 'tomcat' is actually Apache Tomcat server (Also the logo of Apache Tomcat is described in index page).
I wrote a small Python and Bash fuzzing script to discover web contents in Apache Tomcat using Tomcat dorks.
And then I found '/manager/html' directory exists but need authentication.
For HTTP basic authentication, I tried some default user:pass combination used in Apache Tomcat manager page and voila,
flag is given in response.
Flag: INS{th1s_is_re4l_w0rld_pent3st}