Need help solving CyberStart’s Hidden Boats challenge or want to learn more about finding hidden information on websites?
Read our tips on how to find file inclusion on websites and how to protect them from attack.
Note: This blog contains spoilers and solutions to HQ L07 C02 - Hidden Boats.
How to solve CyberStart’s “Hidden Boats” challenge - HQ L07 C02
As an agent at the Cyber Protection Agency, you’ve been asked to look into a gang called the Chiquitoos that run several legitimate and criminal operations.
You’ve been informed that there could be hidden information on one of the gangs’ websites. It’s being stored in a file called “extra.txt”.
To help you solve Hidden Boats HQ L07 C02, we’re first going to give you the hint to this challenge!
Hidden Boats challenge hint:
Look at the page URL and how it’s being used to load the list of scheduled trips. Is there any way you could change that to show the extra trips file?
So, we now know the URL (the text near the top that starts with “https”) needs to be changed to show the extra trips file - but what do we change it to?
Well, let’s think back to the challenge brief that told us the information we’re looking for is being hidden in a file called “extra.txt”.
If you add “extra.txt” to the end of the URL, you’ll notice it’s still not uncovering the hidden information.
Let’s try looking in the website’s developer tools to see if we can get any further clues.
As you look at the developer tools, you’ll notice a section with the trips planned that we can also currently see on the website. Then, you’ll notice for each trip, there’s a file ending in “.txt”.
Let’s try putting “?file=planned.txt” that we see in the developer tools into the URL, but replace “planned.txt” with “extra.txt”.
Your new URL should now be: “https://www.boatcabs.com/scheduled?file=extra.txt”.
Congratulations! You should now have found the hidden page. But it’s not over yet. You still need to find the flag on the page.
Read the briefing again and the flag location on the page should be clear!
How to reveal and prevent security flaws
Examining and understanding how web applications load and serve data can often reveal security flaws.
Website flaws such as this file inclusion are common mistakes that leave businesses open to attack.
In this case, the website needs to make itself resistant to this kind of flaw to ensure others cannot ask for data, other than what the website expects to provide.
The thought process behind discovering this file inclusion vulnerability is similar to many other real security flaws, so it’s a great skill to know!