Now that we’re logged in, lets take a poke around and see what we’re dealing with. There appears to be sections to:

• Apply for leave, where we submit a text request. Maybe XSS or Injection on this?
• Staff Directory, details about different staff members.
  • The “Network Administrator” has some binary in his profile. We’ll decode that later.
• There seems to also be a message board. Maybe XSS or Injection.
• There’s also a mail inbox.

We need to obtain a working account on the system.

We Register with the following details:

Name: Nick
Email: [email protected]
Password: nick
Confirm: nick
Secret Q: q
Secret A: a

We notice a message at the top:

Account Registered - Awaiting IT approval.

Our WebSec foo tells us we should have a look in robots.txt. Not only that, but the title does give this one away - Bots.

GET /robots.txt HTTP/1.1

User-agent: *
Disallow: /admin
Disallow: /backup
Disallow: /protected

Lets take a look in these.

• /admin - Nothing here, just a picture
• /backup - Nothing here, just another picture
• /protected - Reveals the flag FLAG{1b000000000000000000000000000000}

This was any easy one - Snoop around the html source code on the login page. You’ll find a HTML Comment around line 99:

<!-- X marks the spot -->
<!-- RkxBR3sxYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH0N -->

We notice that it’s Base64 looking. We decode this as base64:

>>> str = 'RkxBR3sxYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH0N'
>>> print(str.decode('base64'))
FLAG{1a000000000000000000000000000000}