Use a specific Browser

Author: XploitPoy_777

Access the hidden flag. Browsers will not reveal the secret.
Access Web Flag format: BOCTF{}

https://tboctf.great-site.net/9b2e6a4c8d1f3b7e.php?i=1tboctf.great-site.net

Solution: This type of problem is a browser-related problem. Though it said that browsers will not reveal the secret, we can use browser automation or browser weaponizing tools like Burp Suite.

First, open page request at Burp Suite. Send the request to intruder.

From the intrusion detection tab, select the user-agent.

Get payloads (user agent lists) from open source. e.g.: https://www.useragentstring.com/pages/All/

Then start the attack to see the result.

From the content length, of the attack, we can see an unusual content length for (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.8.0)

Now, open a fresh browser. Go to the target page. Get browser extension: https://microsoftedge.microsoft.com/addons/detail/useragent-switcher-and-m/cnjkedgepfdpdbnepgmajmmjdjkjnifa

Select for the Firefox browser version: 52

Boom! The flag was revealed!

PreviousBOCTF NextThe secret doors

Last updated 3 months ago