fix: update link in Cyberspace

PSDat123 · PSDat123 · commit 9b170f0d5d20 · 2024-09-11T00:12:51.000+07:00
diff --git a/_posts/2024-09-02-Cyberspace-2024.md b/_posts/2024-09-02-Cyberspace-2024.md
@@ -8,13 +8,13 @@ img_path: /assets/img/CyberSpace-2024
 image: banner.png
 ---
 
-I played [CyberSpace 2024](https://ctftime.org/event/2428) this year with the team [epic merger](https://ctftime.org/team/349896) and got 5th place. We cleared the web category (including the sponsor challenge). Here's the writeups for the challenges that I've solve and my note on my teammate's solution for the challenges that I wasn't able to solve.
+I played [CyberSpace 2024](https://ctftime.org/event/2428){:target="_blank"} this year with the team [epic merger](https://ctftime.org/team/349896){:target="_blank"} and got 5th place. We cleared the web category (including the sponsor challenge). Here's the writeups for the challenges that I've solve and my note on my teammate's solution for the challenges that I wasn't able to solve.
 
 ## ZipZone
 **Solvers:** 173 <br>
 **Author:** rex
 
-This was a beginner web challenge, the idea was to use the fact that we can zip a [symlink](https://en.wikipedia.org/wiki/Symbolic_link) and when upzipped, we can read that symlink which can point to any files on the system
+This was a beginner web challenge, the idea was to use the fact that we can zip a [symlink](https://en.wikipedia.org/wiki/Symbolic_link){:target="_blank"} and when upzipped, we can read that symlink which can point to any files on the system
 
 Let's look at the code:
 ```python
@@ -217,7 +217,7 @@ I will modify it to send a date that is 10 days into the future.
 
 After that use ngrok to expose the port, and provide the address to `/release?debug=true` then it will give us the `access_granted` token.
 
-Finally, it's just some basic [command injection](https://book.hacktricks.xyz/pentesting-web/command-injection) at `/feature`.
+Finally, it's just some basic [command injection](https://book.hacktricks.xyz/pentesting-web/command-injection){:target="_blank"} at `/feature`.
 
 **Solve script**
 ```python
@@ -286,7 +286,7 @@ func DisplayFlag(ctx *gin.Context) {
 ```
 {: file="handlers/service/Posts.go" }
 
-Yep, definitely a [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) problem.
+Yep, definitely a [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use){:target="_blank"} problem.
 
 We can see that the `CreatePost` function will call `CheckNoOfPosts` first then after a `while`, it will call `InsertPost`. In that time frame, we can send a bunch of request to create post at the same time and it will go past the 10 notes limit.
 
@@ -372,7 +372,7 @@ Apparently the application use htmx for the front-end, so let's hit the document
 After reading the document for those attribute, we can find a very suspicious attribute `hx-vals`
 
 ![hx-val document](hx-vals.png)
-*[https://htmx.org/attributes/hx-vals/](https://htmx.org/attributes/hx-vals/)*
+*[https://htmx.org/attributes/hx-vals/](https://htmx.org/attributes/hx-vals/){:target="_blank"}*
 
 That's litterally a free XSS, so we can do something like this and it will pop an alert.
 ```html
@@ -455,7 +455,7 @@ server {
 }
 ```
 {: file="nginx.conf" }
-Yep it was there all along, we can do path traversal to get the challenge binary with `/static../chall` and the admin's jwt with `/static../jwt.secret`. More on nginx alias misconfiguration [here](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx#alias-lfi-misconfiguration)
+Yep it was there all along, we can do path traversal to get the challenge binary with `/static../chall` and the admin's jwt with `/static../jwt.secret`. More on nginx alias misconfiguration [here](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx#alias-lfi-misconfiguration){:target="_blank"}
 
 To solve the first challenge, we just need to craft a admin session token with the `jwt.secret` and go to `/admin/dashboard` to get the secret post id and get the flag.
 
@@ -511,7 +511,7 @@ on "download" do
 ```
 {: file="app/server.rb" }
 
-After reading the [rack](https://github.com/rack/rack/blob/main/lib/rack/request.rb#L414) source code, we can see that we can easily spoof our ip with `X-Forwarded-For` header since the line 418-420 is removed when building the docker image.
+After reading the [rack](https://github.com/rack/rack/blob/main/lib/rack/request.rb#L414){:target="_blank"} source code, we can see that we can easily spoof our ip with `X-Forwarded-For` header since the line 418-420 is removed when building the docker image.
 
 `RUN patch /usr/local/bundle/gems/rack-3.1.7/lib/rack/request.rb < patch.txt`
 ```plaintext
@@ -528,11 +528,11 @@ After reading the [rack](https://github.com/rack/rack/blob/main/lib/rack/request
 When try on local, using the `X-Forwarded-For` will indeed spoof our ip as 127.0.0.1, but the remote is different from local because it's deployed behind a load balancer, and that load balance will modify our `X-Forwarded-For` header before sending it to the real app.
 
 ![load balancer doc](gcp-load-balancer.png)
-*[Reference](https://cloud.google.com/load-balancing/docs/https#x-forwarded-for_header)*
+*[Reference](https://cloud.google.com/load-balancing/docs/https#x-forwarded-for_header){:target="_blank"}*
 
-After hours of playing around with the `X-Forwarded-For` and other header without any result. One of my teammates - [Masamune](https://discord.com/users/538608747153588224). Found that this header will work: `Forwarded: for=127.0.0.1;` 
+After hours of playing around with the `X-Forwarded-For` and other header without any result. One of my teammates - [Masamune](https://discord.com/users/538608747153588224){:target="_blank"}. Found that this header will work: `Forwarded: for=127.0.0.1;` 
 
-Based on the document: [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded), `The alternative and de-facto standard versions of this header are the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto headers.`
+Based on the document: [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded){:target="_blank"}, `The alternative and de-facto standard versions of this header are the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto headers.`
 
 So that means that `X-Forwarded-For` is just another version of `Forwarded: for=<ip>`. That's a new knowledge for me.
 
@@ -655,7 +655,7 @@ After the competition ended, the author revealed that the intended solution is t
 
 `http://localhost:3000/?name=%0aalert()//%3C/script%3E&snippet=%3Cp%20id=%22%3C!--%3Cscript%3E%22%3E`
 
-Reference: [https://creds.nl/2024-07-27-overlooked-xss-vector](https://creds.nl/2024-07-27-overlooked-xss-vector)
+Reference: [https://creds.nl/2024-07-27-overlooked-xss-vector](https://creds.nl/2024-07-27-overlooked-xss-vector){:target="_blank"}
 
 That was a relatively new article, I'm still confused on why the browser will parse the script tag inside string. But I'll take note of this for future uses.
 
@@ -743,7 +743,7 @@ Then pop goes the alert.
 **Solvers:** 9 <br>
 **Author:** GabeG888
 
-This challenge was solved by [Masamune](https://discord.com/users/538608747153588224) after one of our teammmates gave an idea
+This challenge was solved by [Masamune](https://discord.com/users/538608747153588224){:target="_blank"} after one of our teammmates gave an idea
 
 ![quiz-idea](quiz-idea.png)
 
@@ -845,7 +845,7 @@ while True:
 **Solvers:** 7 <br>
 **Author:** 0xM4hm0ud
 
-This challenge was solved by [jeser](https://discord.com/users/293440719857909760) while I was sleeping, when I woke up and saw his payload, I was overwhelmed lol. But here's my analysis of the challenge.
+This challenge was solved by [jeser](https://discord.com/users/293440719857909760){:target="_blank"} while I was sleeping, when I woke up and saw his payload, I was overwhelmed lol. But here's my analysis of the challenge.
 
 Here's his final payload for the challenge:
 ```
@@ -871,7 +871,7 @@ And the flag file name is randomly generated so we have to find out the flag fil
 So we need to do `system('ls /')` first, but how?
 The character `/` is in the blacklist and the space character will need quotes, but it's also in the blacklist.
 
-One way we can get those character is via [`dump()`](https://twig.symfony.com/doc/3.x/functions/dump.html) function and [`nl2br()`](https://twig.symfony.com/doc/3.x/filters/nl2br.html) filter, which return alot of character we can use.
+One way we can get those character is via [`dump()`](https://twig.symfony.com/doc/3.x/functions/dump.html){:target="_blank"} function and [`nl2br()`](https://twig.symfony.com/doc/3.x/filters/nl2br.html){:target="_blank"} filter, which return alot of character we can use.
 
 If we send the payload like: `{% raw %}{{dump()|nl2br()}}{% endraw %}` we'll get the following output
 ```
@@ -894,7 +894,7 @@ For the character `m` we can do this `{m:1}|keys|join()`.
 In order to join them together, Twig has a very convenient operator which is `~` that is not in the blacklist.
 
 ![twig tilde doc](twig-tilde.png)
-*Reference: [https://www.branchcms.com/learn/docs/developer/twig/operators](https://www.branchcms.com/learn/docs/developer/twig/operators)*
+*Reference: [https://www.branchcms.com/learn/docs/developer/twig/operators](https://www.branchcms.com/learn/docs/developer/twig/operators){:target="_blank"}*
 
 Let's set those two as a variable first.
 ```
@@ -934,7 +934,7 @@ Now we know that the flag file name is `flag-edbfcbcaef`. So we'll use the same
 
 But there's a new character which we can't use the above technique for, it's the dash character `-`.
 
-So we'll need to find another way to get it. Another way to get a lot of characters is via the global [`_charset`](https://twig.symfony.com/doc/3.x/templates.html#global-variables) variable.
+So we'll need to find another way to get it. Another way to get a lot of characters is via the global [`_charset`](https://twig.symfony.com/doc/3.x/templates.html#global-variables){:target="_blank"} variable.
 
 If we send this `{% raw %}{{_charset}}{% endraw %}` to the server it will return `UTF-8`. There's the dash character that we need. So just extract it with `slice()` and `join()` like the others.
 ```
@@ -970,7 +970,7 @@ All that's left is to chain them together to get the final payload, send them to
 **Solvers:** 6 <br>
 **Author:** Cybersharing
 
-This challenge was solved by [LyC0nTriX](https://discord.com/users/1116855799659102309) in the last 5 minutes of the competition. This was more of a misc-guessing challenge more than a web challenge but it has a web tag so I'll include it here as well.
+This challenge was solved by [LyC0nTriX](https://discord.com/users/1116855799659102309){:target="_blank"} in the last 5 minutes of the competition. This was more of a misc-guessing challenge more than a web challenge but it has a web tag so I'll include it here as well.
 
 The challenge gave us a picture with the following hints
 ![Challenge picture](share-the-flag.png)
@@ -990,7 +990,7 @@ So I'll spin up a quick http server that can log headers information and send th
 As you can see, discord will send a request to that address with the user-agent: `Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)`.
 
 So let's try to request `cybersharing.net` ourselves with that header and see what will be returned.
-We'll send a curl request with the header `User-Agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)` to [https://cybersharing.net/history](https://cybersharing.net/history) since the first hint pointed to that.
+We'll send a curl request with the header `User-Agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)` to [https://cybersharing.net/history](https://cybersharing.net/history){:target="_blank"} since the first hint pointed to that.
 
 ```console
 curl -H 'User-Agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)' https://cybersharing.net/history
@@ -999,7 +999,7 @@ It'll return a bunch of html code, but if we look closely or use `grep` we can s
 
 ![flag link](share-the-flag-flag.png)
 
-Here's the link: [https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449](https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449) 
+Here's the link: [https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449](https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449){:target="_blank"} 
 
 Download it and get the flag.
 
