Hacking the lottery | CTF Challenge

2024-10-23

Challenge Info

Metro Lottery (Medium)(100 points)

Description: Conduct a security audit on the city's lottery system.

What is the flag obtained after winning the lottery? (100 pts)

Hacking the lottery

  • Upon accessing the site we are greeted with this

Homepage of the lottery page

Fig.1
  • Hmm let's inspect it a little.

in network tab

Fig.2 Hmm
  • Interesting, let's see if we can send a POST request with this json format on Postman

postman request

Fig.3 Postman the GOAT
  • I modified the ticket amount to a ridiculous amount, let's post it and see what happens.

lots of ticketsss

Fig.4 WOW
  • It would be really funny to not win with these many tickets

flaggggg

Fig.4 WOW
  • Ayy we got it, this is why you should alway sanitize requests too. Imagine this was a real lottery then I would have been a millonare!

Flag: SKY-AHQP-6005

For any work-related inquiries, please email me at vipin@vipin.xyz. If you want to chat with me, feel free to drop me a message on Discord