Maze

Reading the challenge description the first thing I thought of was to look for hidden files so ran dirsearch:

Found a /projects folder so when we visit it we get this banner:

However if we take a look at the source code there is an interesting comment:

1
2
3

<!--
<img src="justsomerandomfoldername/image-0.png">
-->

Checked the image and turns out is a QR, which no apparent hidden data:

At this point checked in case there are more images following the same naming convention image-X.png so went for the 27 as the banner on /projects pointed out:

Additionally did an intruder scan with BurpSuite to check what images are available:

Both intruder and the image are indicating that the qr 13 is hidden data, so ran an exiftool to it:

[jusepe@nix:~/Documents/CTFs/vulncon]$ exiftool image-13.png 
ExifTool Version Number         : 12.12
File Name                       : image-13.png
Directory                       : .
File Size                       : 946 bytes
File Modification Date/Time     : 2020:12:19 14:56:29+01:00
File Access Date/Time           : 2020:12:19 14:56:38+01:00
File Inode Change Date/Time     : 2020:12:19 14:56:30+01:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 290
Image Height                    : 290
Bit Depth                       : 1
Color Type                      : Grayscale
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
XMP Toolkit                     : Image::ExifTool 12.04
Creator                         : aWh5YXBiYXtqQCRfN3UxJF8zaTNhX0BfajNvX3B1QHl5M2F0Mz99
Image Size                      : 290x290
Megapixels                      : 0.084

There is an interesting Creator header so with help of CyberChef got the flag:

r4t3 L1m1t

When we browse the web the only thing we see is an OTP:

It makes a get request with a parameter for each digit:

[jusepe@nix:~/Documents/CTFs/vulncon]$ curl "http://ratelimit.noobarmy.org/enterotp?digit_1=1&digit_2=1&digit_3=1&digit_4=1" && echo ""
{"msg":"Your Flag Is  L0L"}

After 10 tries you get banned for 1 minute:

[jusepe@nix:~/Documents/CTFs/vulncon]$ curl "http://ratelimit.noobarmy.org/enterotp?digit_1=1&digit_2=1&digit_3=1&digit_4=1" && echo ""
Our Developers Are Smart Enough To Implement Rate Limit !

Searching for ways of bypassing the ratelimit found this hacktricks post, the article suggest to change the letter casing so tried bruteforcing to /Enterotp.

This endpoint has a 100 request limit which wasn’t enough so kept trying stuff so tried the following headers:

X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Forwarded-For: Dashboard

Adding the headers by it’s own didn’t change anything. After some time of struggle switched the request method, hoping that the endpoint processes it too and voilà:

At this point we are able to bruteforce the endpoint, I used BurpSuite Intruder with Cluster Bomb for it. After the bruteforce ends there is a response with different content length:

Paying attention to the response, removed the X- headers and got the flag: