Lah Itu Je?

Web Challenge

First, when we look at the website, we are presented with a login form.

Intercepting it using burp suite shows that there is another path called register.php

After creating an account and logging in, it redirected to dashboard.php; right after that, pressing the get flag will redirect you to another page, which is flag.php

We did this by checking the page source and looking at script.js; the js file is obfuscated inside the file. Therefore, we need to use the javascript deobsfucator

Next, we just run the generateCode() function using the console, then it will alert the code; however, making a POST request with the code doesn't provide the solution, and another alert box comes out

After banging my head against the wall for 4 hours straight, I decided to wait for the clues.

Here, it states to shoot to the "head." I guess we need to change the request from post to head.

Nope, I was wrong; moving on to another clue, shoot the "host.", here I changed the host header to localhost, and it provided a strange response.

200 OK and Error executing curl request: Empty reply from server

Hm, it is clear that it is a vulnerability of SSRF via Host Header

For Reference

Therefore, all I need to do is create my domain using the request in the website and inspect the request

Lastly, decode the flag from Base64

RWSC{b045887cbadfda25b29db243a18de38cb1cbfb14}