picoCTF 2024 Web Exploitation
picoCTF 2024 Web Exploitation writeups covering web vulnerabilities and injection attacks.
picoCTFCTFWeb Exploitation

picoCTF 2024 - Web Exploitation

Web Exploitation Challenges
Solved: 6/7 challenges
- Bookmarklet - 50 points
- WebDecode - 50 points
- IntroToBurp - 100 points
- Unminify - 100 points
- No Sql Injection - 200 points
- Trickster - 300 points
Bookmarklet
Tags: `Web Exploitation` `obfuscation` `browser_webshell_solvable` `browser`
Description
Why search for the flag when I can make a bookmarklet to print it for me?


Flag

IntroToBurp
Tags: `Web Exploitation`
Description
Try here to find the flag


Flag

No Sql Injection
Tags: `Web Exploitation` `browser_webshell_solvable`
Description
Can you try to get access to this website to get the flag? You can download the source here. The website is running here. Can you log in?

Found that it uses MongoDB

Flag
email: {"$gt": ""} password: {"$gt": ""}
#Thanks https://book.hacktricks.xyz/pentesting-web/nosql-injection#mongodb-payloads

Trickster
Tags: `Web Exploitation` `browser_webshell_solvable`
Description
I found a web app that can help process images: PNG images only!

dirsearch -u URL


robots.txt

curl -I URL

PHP!

Flag

Unminify
Tags: `Web Exploitation` `obfuscation` `browser_webshell_solvable` `minification`
Description
I don't like scrolling down to read the code of my website, so I've squished it. As a bonus, my pages load faster! Browse here, and find the flag!

Flag

WebDecode
Tags: `Web Exploitation` `browser_webshell_solvable`
Description
Do you know how to use the web inspector?



Flag
