McSkidy has been going keeping inventory of all the infrastructure but he finds a random web server running on port 3000. All he receives when accessing ’/’ is
1{"value":"s","next":"f"}
McSkidy needs to access the next page at /f(which is the value received from the data above) and keep track of the value at each step(in this case ‘s’). McSkidy needs to do this until the ‘value’ and ‘next’ data have the value equal to ‘end’.
You can access the machines at the following IP:
- 10.10.169.100
Things to note about this challenge:
- The JSON object retrieved will need to be converted from unicode to ASCII(as shown in the supporting material)
- All the values retrieved until the ‘end’ will be the flag(end is not included in the flag)
Check out the supporting material here.
First you need to scan the ip address.
1"nmap -sV -vv 10.10.169.100"23Discovered open port 111/tcp on 10.10.169.1004Discovered open port 22/tcp on 10.10.169.1005Discovered open port "3000/tcp on 10.10.169.100"
As you can see, the port 3000 is open, you can test the result with curl
1curl 10.10.169.100:30002{"value":"s","next":"f"}
Now we can develop our own python script to get the flag
1import requests23path="/" # Path for the web application4host="http://10.10.169.100:3000" # Url of the target box5values=[] # All the values will be stored there67while path != "/end":8 response = requests.get(host+path)9 json_response = response.json()10 path = "/" + json_response["next"]11 if path != "/end":12 values.append(json_response["value"]) # While the path is not /end the script will iterate again and again1314print("".join(values)) # Print the final value (flag)
1sCrIPtKiDd # flag
