Scenario "Paris": Where is my webserver?

[fduran]

Discussions about scenario Paris

[HarukaMa]

Sent a feedback, but pasting here for ref :

Spoilers ahead

Strange one, my first instinct is to somehow gain access to the webserver.py file. "Random UA passes webserver auth" doesn't seems like a good fit of "server diagnostics" theme. This is more like a very easy web ctf question.

Also, "random UA gives password" is not that "real-world" as well. I didn't expect at all that it will spit out the flag when I used some random UA to send the request. What real server would do that?

I don't really know why this scenario is put like this. Probably you wanted to test if the user knows they can use arbitrary UA to troubleshoot some web services?

Anyway, the scenario in the current form feels pretty strange to me. Probably it's too different from other scenarios.

[fduran]

Hello, thanks for your comment. I'm not sure what "UA" means :-)

This is not a realistic scenario in itself, but the themes in it and the skills and tools to solve it I think are realistic.

[akantak]

I'm pretty sure that UA here means user agent header which is the clou of this task.
It looks more like a CTF style task.
IMO there should be mentioned somewhere that the access to the server was blocked for the "CLI hackers" or any other way pointing that using one tool it works, while using another one does not work.

EDIT: or something like "he is into security/open-source/apple so the access is only from tor-browser/firefox/safari". Just a few examples here, whatever suits you.

[fduran]

@akantak yes UA is user agent. This is not a realistic scenario by any means; it's not tagged as such but as hack or CTF as you say. I agree some sort of tip would be nice but mentioning something like it only works from some browsers pretty much gives it away.