Contact CTF writeups Notes

[PicoCTF 2018] - web - Secret Agent

This is one of my writeups for PicoCTF 2018

Problem

Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. http://2018shell3.picoctf.com:11421

Hints :

  1. How can your browser pretend to be something else?

Solution

Here, the task name and hint seemed indicate that the User-Agent header is involved. Sure enough, if we check the site and follow the link to /flag, we get the following error (abbreviated here) :

You're not google! Mozilla/5.0 [...]

This tells us two things :

  1. The app is looking at our user agent (since it's displayed in the error)
  2. It's expecting "Google"

Now the way Google indexes websites is that it has bots crawling the web. Those bots are "polite", which means among other things that they correctly indicate their identity (as opposed to trying to pass for a regular browser). We can assume that what is expected here is Google Bot user agent.

A quick search for "googlebot user agent" yields the following page : Google crawlers (user agents).

As indicated, Googlebot is the most common Google crawler, so let's use it's user agent :

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Requesting /flag again, this time using that user agent (I used Burp suite's proxy and repeater, but there are other ways to do that) we get the flag : picoCTF{s3cr3t_ag3nt_m4n_ed3fe08d}