Official Weather App Discussion

Official discussion thread for Weather App. Please do not post any spoilers or big hints.

Cool challenge so far! I think I found what i need to do, but I can’t figure out what to do to successful r******r. I’d highly appreciate a small hint or at least telling me if i am on the right track!

EDIT: Ok, for people distracted, don’t forget you can download files for this challenge.

1 Like

Type your comment> @docluis said:

Cool challenge so far! I think I found what i need to do, but I can’t figure out what to do to successful r******r. I’d highly appreciate a small hint or at least telling me if i am on the right track!

I’m stuck at the “r******r” part, but from the code can see what the next step is.

Successfully get flag in local environment, but in remote environment, if s***p is caught, the server stops. Is there anything I’m overlooking?

Type your comment> @d1mihsp4ce said:

Successfully get flag in local environment, but in remote environment, if s***p is caught, the server stops. Is there anything I’m overlooking?

Im having the exact same issue, did you get there in the end?

It’s not a blocking query, it’s in asynchronous execution which means you’re not going to be able to cause delays or errors. That’s the point of that step.

I finally succeeded to solve it through my exploit.

I’m stuck at the rr part, but already got a flag in the local env. Is there any way to do a P request via a/******r method?

I have requested POST to create a new account successful.
I am trying to exploit Si in r***er function but I stuck here.
Am I on a right way? Somebody give me a hints?

Type your comment> @vnv said:

I have requested POST to create a new account successful.

You don’t need a new account. Just look to existing. How do you do a POST request?

Type your comment> @Difrex said:

Type your comment> @vnv said:

I have requested POST to create a new account successful.

You don’t need a new account. Just look to existing. How do you do a POST request?

@Difrex said:
Type your comment> @vnv said:

I have requested POST to create a new account successful.

You don’t need a new account. Just look to existing. How do you do a POST request?

I exploit s##i via request /a*i/w*****r

I’m also stuck.Server stops for some reason when content type is changed. Any hint?

I am stuck at /a**/w****r
Tried to brute force on /l
n could not get anything there.
Can anyone please guide me in the right direction?
Thanks

[update-1]
I tried to read the code dump and found something interested with /rr POST request.
I am still stuck at bypassing certain check, tried all X
******r header, anyone nudge in the correct direction please.

Finally, get the flag :))! I was on the right way. great challenge!

@vnv said:
I have requested POST to create a new account successful.
I am trying to exploit Si in r***er function but I stuck here.
Am I on a right way? Somebody give me a hints?

found the reason. good luck to everyone and more correct thoughts

can somebody pls give me a hint how is it possible to make a post?

Can do the POST but fight to combine all things so that they work - it would be nice if someone could give me a nudge for this

nvm?‍♂️ - done

read through the code. think i know what to do with /r******r but its not working. Am i missing something?

I finished… I think the challenge should be worth more than 30 points. Anyway, It’s a great one and I learned quite a bit. Thanks!