CSAW Quals 2016 – wtf.sh (1)

wtf.sh was a forum-like webapp, supposedly written in bash. Users could register accounts, log in, create posts, and reply to posts. There were two challenges involving wtf.sh; wtf.sh(1) worth 150 points, and wtf.sh(2), worth 400 points. I started taking a look at wtf.sh late Saturday night. The challenge info for wtf.sh tells you that your… Continue reading CSAW Quals 2016 – wtf.sh (1)


CSAW Quals 2016 – mfw

mfw was a website where you could click between 3 pages: Home, About, Contact. The requested page is loaded through GET in the "page" variable, as can be seen here: The about page mentions that Git was used. Some Googling leads to this article which explains how leaving the .git exposed can allow people to download the site's source code. We… Continue reading CSAW Quals 2016 – mfw