Black Hat MEA 2022 - Qualifier - Jimmy's Blog

Challenge Description Difficulty : Hard Points : 400 Categoty : Web Source Code File and directory structure of given source code. index.js const express = require("express"); const cookieParser = require("cookie-parser"); const sessions = require('express-session'); const body_parser = require("body-parser"); const multer = require('multer') const crypto = require("crypto") const path = require("path"); const fs = require("fs"); const utils = require("./utils"); const app = express(); app.set('view engine', 'ejs'); app....

October 4, 2022 · 8 min · Rizal

Black Hat MEA 2022 - Qualifier - Meme Generator

Challenge Description Difficulty : Medium Points : 250 Categoty : Web Walkthrough The Meme Generator website allows you generate a Meme by seaching a term on any one of the 3 below search engines. Google DuckDuckGo Search Encrypt When searching on any of the search engines, the search URL would look like this. # Google https://google.com/?q=<MEME_SEARCH_TERM> # DuckDuckGo https://DuckDuckGo.com/?q=<MEME_SEARCH_TERM> # Search Encrypt https://searchencrypt.com/?q=<MEME_SEARCH_TERM> # General Format https://<SEARCH_ENGINE>....

October 4, 2022 · 3 min · Rizal

Black Hat MEA 2022 - Qualifier - peeHpee

Challenge Description Difficulty : Easy Points : 150 Categoty : Web Walkthrough The page source had a comment with details of an endpoint which reveals the PHP source code. Accessing the /?source= endpoint shows the following source code. <?php //Show Page code source if (isset($_GET["source"])) { highlight_file(FILE); } // Juicy PHP Part $flag = getenv("FLAG"); if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (isset($_POST["email"]) && isset($_POST["pass"])) { if ($_POST["email"] === "admin@naruto....

October 4, 2022 · 3 min · Rizal

Black Hat MEA 2022 - Qualifier - Spatify

Challenge Description Difficulty : Easy Points : 150 Categoty : Web Walkthrough The challenge home page shows a list of songs and allows the user to search for songs. Checking the robots.txt files reveals a new directory location /superhiddenadminpanel/. Accessing the new location shows a page where it asks for admin password. When searching for songs in the home page, it showed a message that the search query should be atleast 5 characters long....

October 4, 2022 · 1 min · Rizal