+ | hidden done

2025-09-27 12:48:35 +02:00 · 2025-04-08 16:24:20 +02:00
parent 9e96789cfe
commit 6d60ef316c
4 changed files with 14 additions and 18 deletions
--- a/hidden/README.md
+++ b/hidden/README.md
@ -0,0 +1,14 @@
+# Finding the Hidden Flag
+
+## How We Found It
+First we went throught basic analysis of the website and thought of `.robots.txt`.
+
+`Dissallow: /.hidden`
+
+We wrote a script that crawled through the website’s `.hidden` directory. It checked every subdirectory and looked for each README file, examining the byte of its content. When that byte deviated from the expected pattern, we knew we’d found the flag!
+
+## Utility of It
+For this project, there wasn’t any real-world utility, it was just a roleplay exercise for school to learn about web crawling and threading.
+
+## How Can We Patch It
+The easiest fix is to restrict public access to sensitive files. Don’t place secret files in directories that are directly accessible from the web.
--- a/hidden/flag
+++ b/hidden/flag
@ -0,0 +1 @@
+d5eec3ec36cf80dce44a896f961c1831a05526ec215693c8f2c39543497d4466
--- a/hidden/ressources/main.py
+++ b/hidden/ressources/main.py
@ -0,0 +1,68 @@
+import threading
+import requests
+import time
+from bs4 import BeautifulSoup
+
+IP = "http://10.12.248.155/"
+BASE_URL = ".hidden/"
+
+thread_pool = []
+visited_count = 0
+stop_thread = False
+
+class Request(threading.Thread):
+	def __init__(self, url=""):
+		self.url = url
+		threading.Thread.__init__(self)
+
+	def run(self):
+		global thread_pool
+		global visited_count
+		global stop_thread
+
+		if (stop_thread):
+			thread_pool.clear()
+			exit(0)
+
+		res = requests.get(IP + BASE_URL + self.url)
+		parsed = BeautifulSoup(res.content, "html.parser")
+		
+		readme_value = parsed.find("pre").contents[-1].split(" ")[-1]
+		if not readme_value.startswith("34"):
+			stop_thread = True
+
+			time.sleep(0.5) # processing NSA hack
+
+			print("\n\nFound the flag on: ", IP + BASE_URL + self.url)
+
+			flag = requests.get(IP + BASE_URL + self.url + "README")
+			print(flag.content.decode(), "\n")
+			
+			exit(0)
+
+		for link in parsed.find_all("a"):
+			
+			url = link["href"]
+			if (url != "README" and url != "../"):
+
+				if (not stop_thread):
+					print("\r " + str(visited_count) + " " + self.url + url + "       ", end="", flush=True)
+			
+				new_thread = Request(self.url + url)
+				new_thread.start()
+
+				thread_pool.append(new_thread)
+				
+				visited_count += 1
+
+
+def main():
+	thread_pool.append(Request())
+	thread_pool[0].start()
+
+	for thread in thread_pool:
+		thread.join()
+
+
+if __name__ == "__main__":
+	main()
				`@ -0,0 +1 @@`
				`d5eec3ec36cf80dce44a896f961c1831a05526ec215693c8f2c39543497d4466`