09 November 2014

Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
When opening the link and clicking on one of the buttons, I noticed how the page's URL looked like.

For example, clicking on 'Blink Lights', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink Lights
When clicking on 'Patrol Mode', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Patrol Mode
When clicking on 'Make Toast', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Make Toast

There is a pattern in that each of the URLs start with http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=, and would end with the name of the button you were clicking.

So, since I wanted to activate the 'Shutdown & Turn Off' Command, you'd assume that the link would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn Off

But that would only bring me to this page:


But then how would I be able to go to the page? URL encoding, that's how. The problem actually lies in the ampersand ('&'), since it's not a URL-safe character. So by converting Shutdown & Turn Off to a URL-safe string, I'd be able to view the page.

I Google'd 'text to url' and found several text to URL converters. I used QuickEncoder, and pasted Shutdown & Turn Off into the box, then pressed 'Encode'


I copied the URL-safe string (Shutdown+%26+Turn+Off) and pasted it into the base URL (http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=) so that it looked like http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown+%26+Turn+Off

I pressed 'Enter' and the following page appeared:


The shutdown code, and flag, is blatantly displayed as flag_c49bdkeekr5zqgvc20vc