Opening the challenge page gives a very precise complaint:
Insecure operating system!
For sEcUrItY rEaSoNs, you need to update your system to Windows 95 before accessing this website!
This is a hint about the
I used Burp Suite as an intercepting proxy for the rest of the challenge. The browser is configured to send traffic through Burp, and Burp lets us pause, edit, forward, and replay HTTP requests.
For the first request, I sent the page request to Burp Repeater and changed the
Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
The request then looks roughly like this:
GET /tram-ticket-machine.html HTTP/2
Host: hscmgl7wwsgdrukzblbuhlnvle-1024-intro-web-2.challenge.cscg.live
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
With that header set, the page gives the first flag part:
CSCG{1334k_
The next step is to use Burp Proxy's intercept feature while clicking through the page. When the website submits a form, Burp pauses the request before it reaches the server. That gives us a chance to edit parameters that the page normally controls.
One of the requests contains a filename parameter. Instead of letting the browser submit the original value, I changed the submitted filename to
POST /read-file.php HTTP/2
Host: hscmgl7wwsgdrukzblbuhlnvle-1024-intro-web-2.challenge.cscg.live
Content-Type: application/x-www-form-urlencoded
filename=flag.txt
The server accepts the modified value and returns the second part:
1nt3rc3pt_
The endpoint can also be queried directly. This is a good habit in intro web challenges: once we know an endpoint and a parameter name, try the same parameter in a simpler request.
In Burp Repeater, I changed the request to a direct
/read-file.php?filename=flag.txt
That gives another part:
m0d1fy_fwd_
For the final part, I kept intercepting requests while following the page flow. One forwarded request contains an authorization value. The important lesson here is that anything sent by the browser is under the user's control, even if the page UI does not expose it.
Changing the authorization value to
authorized=true
That makes the backend return the last piece without burning the flag:
r3p34t}
Putting the pieces together gives:
CSCG{1334k_1nt3rc3pt_m0d1fy_fwd_r3p34t}