BSides Canberra 2018 CTF Write-Up: Birdie Red

This is a write-up of the Birdie Red challenge from the BSides Canberra 2018 CTF. This challenge was worth 75 points.

A little series for you to play — let’s start with red.

Birdie is designed to see the difference between peasants and gods.

If you can prove to each colour on the spectrum of birdie you’re a god, you’ll be rewarded.

When we clicked the link it came up with the page “Inebriated Alibis”. Clicking on the next link “Are you a peasant or a god?” it directed us to log in.

The goal is to log in as admin. To do this, we use two tools: Burp Suite, which is software that can intercept and modify website requests between the website server and client browser, and Foxy Proxy, which you can download on the Chrome Web Store. Go into the options for Foxy Proxy and add a new proxy called localhost 8080. Enable Foxy Proxy to use the localhost proxy for all web requests.

We then opened a temporary project in Burp Suite went to the Proxy tab to turn off the intercept. Then, we switched to the HTTP history tab, went back to the login page, and entered a random username. It successfully logged us in, but did not provide the flag…yet.

Once we were logged in, back in Burp Suite we checked the HTTP history for a row with the host and the title “Insatiable Birdie”.

We then clicked the row and in the Raw tab, at the bottom of the page, it came up with information about the page. Right-click that area and select the Send to Repeater option. Then go to the Repeater tab and look at the information about the page.

The important part is the cookie. You’ll see that the session_data cookie shows the username which was entered.

For this example, the user was logged in as username “hello”. Changing this to “admin” and then pressing the Go button (to replay the request) results in being logged in as admin. In the request section on the right click the Rendertab which shows the flag on the screen.

Thanks to Elttam for putting together this challenge.