Vipin

Hacking the lottery | CTF Challenge

October 23, 2024

·
#ctf#writeup#webex

Table of Contents

Challenge Info

Metro Lottery (Medium)(100 points)

Description: Conduct a security audit on the city's lottery system.

What is the flag obtained after winning the lottery? (100 pts)

Hacking the lottery

  • Upon accessing the site we are greeted with this
Homepage of the lottery page
Fig.1
Fig.1
  • Hmm let's inspect it a little.
in network tab
Fig.2
Fig.2 Hmm
  • Interesting, let's see if we can send a POST request with this json format on Postman
postman request
Fig.3
Fig.3 Postman the GOAT
  • I modified the ticket amount to a ridiculous amount, let's post it and see what happens.
lots of ticketsss
Fig.5
Fig.4 WOW
  • It would be really funny to not win with these many tickets.
flaggggg
Fig.5
Fig.4 WOW
  • Ayy we got it, this is why you should always sanitize requests too. Imagine this was a real lottery, then I would have been a millonare!

Flag: SKY-AHQP-6005