Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...When opening the link and clicking on one of the buttons, I noticed how the page's URL looked like.
For example, clicking on 'Blink Lights', the URL would be
http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink LightsWhen clicking on 'Patrol Mode', the URL would be
http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Patrol ModeWhen clicking on 'Make Toast', the URL would be
http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Make ToastThere is a pattern in that each of the URLs start with
http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=, and would end with the name of the button you were clicking.So, since I wanted to activate the '
Shutdown & Turn Off' Command, you'd assume that the link would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn OffBut that would only bring me to this page:
But then how would I be able to go to the page? URL encoding, that's how. The problem actually lies in the ampersand ('&'), since it's not a URL-safe character. So by converting
Shutdown & Turn Off to a URL-safe string, I'd be able to view the page.I Google'd 'text to url' and found several text to URL converters. I used QuickEncoder, and pasted
Shutdown & Turn Off into the box, then pressed 'Encode'
I copied the URL-safe string (
Shutdown+%26+Turn+Off) and pasted it into the base URL (http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=) so that it looked like http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown+%26+Turn+OffI pressed 'Enter' and the following page appeared:
The shutdown code, and flag, is blatantly displayed as
flag_c49bdkeekr5zqgvc20vc