Newrouge CTF

  Hello security enthusiasts, this Christmas i played “Yogosha CTF 2021” challenge as i got a mail from their team on 28th December, and i quickly signed up for it. Although i couldn’t complete all challenges but i learned new things i.e. Hash Length Extension Attack. PHP file_get_contents() LFI vuln. & PHP’s weird behaviours. Whole CTF was based on naruto theme. First challenge : It was an easy OSINT challenge, which was about tracking down a user on flickr where he posted a image. Metadata of image contained flag and link for next challenge. Let’s focus on that. Second Challenge (Uchiha or Evil): Challenge URL: http://3.141.159.106 Description: I heard something important is stored in /secret.txt Let’s try to load /secret.txt file on webserver. But it is not found(404). Then i asked the yogosha admin is it intended. Answer was : Yes it is a file in root directory and we have to get access to that *. After little enumeration we can read /robots.txt file. U...