Week5
🌐 Week 5
| Category | Author |
|---|---|
| 🌐 Web | Flare.io |
Challenge Prompt
You’ve uncovered traces of an illicit marketplace long thought abandoned. Listings fade. Vendors vanish. But the data remains for those who know how to follow it.
This week, 100 adventurers will claim the prize.
Guidelines for All Market Walkers
- A new challenge emerges each week with unique mechanics,
- The quest appears first in the Flare Academy Discord, then on LinkedIn one hour later,
- Recover the hidden flag to claim this week’s reward,
- Flags double as discount codes at checkout. Format flare{…},
- One artifact per adventurer, to keep the realm in balance,
Enter the Market: http://ly3ph3sccqwjh6invtiwo6vzk7nmxzcl6kuqxyzd5xulkshpvydn6yqd.onion/
Claim the Prize:
https://merch.flare.io/
The stalls are open.
Follow the trail and take what you can prove.
Problem Type
- Web
- IDOR
Solve
This week kicks off with another .onion extension on our site, thus we will again need the Tor Browser. You can get that from the Tor Project if you don’t have it already.
We visit the site and are presented with the “Silk Road” marketplace. The site offers a variety of things for sale including FlareCTF Flag LEAKED! which we are very interested in, well, maybe the eggnog too - ‘tis the season after all!
So I clciked on the FlareCTF Flag Leaked item and it tells me I need to login to buy on the button.
At the top right is a login link so, let’s try that. On this page we are presented with a username and password login box. I tried admin/admin.
This didn’t work, but said we can use the demo account of buyer/silkroad. So, let’s try that.
That allowed us to log in and I quickly noticed the Orders 2 at the top.
So let’s go to the My Orders link. Here we are presented with our 2 orders, one delivered and one shipped.
I clicked on View Details of the delivered order and again quickly noticed that our order number was part of the URL ?id=157. This means the site might be vulnerable to an Insecure Direct Object Reference, or IDOR, attack.
To test, we can just change the number 157 to something else like 156 and see if it shows us someone else’s order.
Let’s try 156 first.
Success! I’ll spare you the bordom of me testing 156 - 149 and not finding anyhting before trying to start at 1 and working up.
Working my way up from 1, at 3 we hit the jackpot and landed on a purchase of the FlareCTF Flag Leaked, which revealed the flag!
Flag
flare{0rd3r_4l0ng_th3_51lk_r04d_99}