Thailand Cyber Top Talent 2022 – CTF THAILAND
Writeup!! Web-challenge03
1st step : survey target website and guessing how to find flag?
content show only text.
2nd step : try with index.html and index.php and use : dirb to start find more hidden directory
![](https://www.engiblog.com/wp-content/uploads/2022/10/web03-01.png)
3 : index.php have “secret” parameter. Ok!! let FUZZ with FFUF
and test with result.
![](https://www.engiblog.com/wp-content/uploads/2022/10/web03-03.png)
![](https://www.engiblog.com/wp-content/uploads/2022/10/web03-02.png)
4 : Use : commix for command injection and use os_shell to find flag
found : SSsecretSS directory (interesting)
![](https://www.engiblog.com/wp-content/uploads/2022/10/web03-04.png)
Final : Check SSsecretSS directory (web server config directory listing) , found FlagSecret.txt.
![](https://www.engiblog.com/wp-content/uploads/2022/10/web03-05.png)
flag : tctt2022{Vuln_C0mM@nd_!inj3ti0n}