BSides Canberra 2018 CTF Write-Up: Birdie Orange

This is a write-up of the Birdie Orange challenge from the BSides Canberra 2018 CTF. This challenge was worth 125 points.

Birdie is is designed to see the difference between peasants and gods. We’re now at Yellow.

If you can prove to each colour on the spectrum of birdie you’re a god, you’ll be rewarded.

https://orange.libctf.so/

For this challenge we needed to use Burp Suite, software which can intercept, modify and forward website requests between the client and server.

The website requested a username to create/login to an account. Each username also had a specific hash, which is checked by the browser in order to create/login to the account. Of all the usernames that you can create for your account, the ‘admin’ username contained the flag. The only problem is that the ‘admin’ username is shielded in the website’s input, to prevent unwanted people from accessing the flag. So, we used the Burp Suite repeater to bypass this and retrieve the flag.

In order to solve the challenge, you need to login using valid username — that is not ‘admin’. For example, ‘testusername’. Then, change the session_datacookie from:

‘%7B%22username%22%3A%22testusername%22%7D’

to

‘%7B%22username%22%3A%22admin%22%7D’

then delete the hash cookie and repeat it through the Burp Suite repeater to login…

…and retrieve the flag from the web page.

Thanks to the team from Elttam for another interesting challenge!