Tuesday, April 30, 2013

BSides Chicago CTF: Not The Secret Portal

 Web Challenge: Not The Secret Portal

This is a write up of the "Not The Secret Portal" web challenge rated as easy difficulty. We're presented with the following description:

I really enjoy working for a top secret government agency. There are so many different secrets. For example, did you know that there is a hidden office behind thevending machine? You just enter the code 1D107 and the door will open. At least that's what the guys down in research told me. I haven't gotten the code to work yet, but I think it's probably only active at certain times of the day. I probably shouldn't be telling you these secrets.

Anyway, we found an active page that looks like a rogue agent portal. But it clearly says it's not so we aren't sure what to do with it. We believe it may have been hosted at nottherogueagent.net. Take a look at it and see if it's anything important.

You can view the page here.

Good luck!

Pretty Pictures!

Browse to the page linked in the description.

View the source code.

Browse to addenum.php

We're hoping to find a hidden parameter in one of these requests for injection.

Didn't expect to find anything here. Moving onto the rogue agent's portal.

No hidden parameters here.
Same response as before

"We believe it may have been hosted at nottherogueagent.net"

Change the Referer to http://nottherogueagenet.net.

Facepalm :(


  1. I am very glad that I found your blog. You share with us a very useful and unusual information.

  2. We can view any page by introducing relatively simple codes. This will allow us to gain the access to the sensitive information and increase the chances of finding something important.

  3. Advertising is your main tool to have the business ready to go. Actually, everybody is busy in their company marketing over the World Wide Web. Unfortunately, online company is scammed with scammers. On occasion the provider hires you freelance, or occasionally it is a site designer which orders the copy google At an identical time, if you decide on the most suitable company having excellent reviews and reputation, you will enjoy well composed works. http://google.com/

  4. I’m really glad that you make this joke here. Ha-ha, very funny. But because of you, our hidden offices were revealed to publicity. After your post about access code on the vending machine, we got 749 intruders in all our offices, all over the country. If you will do this again I will be force to write review of kingessays. And you know what it means, right?

  5. It's rather hard to comprehend, but with the help of your instruction, the process becomes much easier!

  6. Hello, I would like to subscribe for this webpage to obtain hottest updates, therefore where can i do it please help. aol mail sign in