DEV Community

Michal Biesiada
Michal Biesiada

Posted on

CTF Writeup — Fetch the Flag CTF 2023 — Unhackable Andy

Hi All,

It is connected with OSINT at start, and Command Injection at the end. ✨

Description of the challenge: “Someone might want to let ol’ Andy know the old addage — pride goeth before the fall.” — source: https://snyk.ctf.games/challengesUnhackable Andy

That’s all. Now we have to visit some site: http://challenge.ctf.games:30900/

Site is quite simply. There are two options — Home and Login.

Referring to my last notices: CTRL+U & F12 are clear. 🎉

Home’ gives the same site of course, ‘Login’ gives Login panel. At the main site there is pinned GH GitHub profile of mentioned creator (“Unhackable Andy”; by the way, text there is quite funny — great job!). Let’s take a look there. https://github.com/UnhackableAndy

There we can see two repos: ‘my-awesome-site’ and ‘my-other-awesome-site’.
Interesting, right? We even don’t have to fork or clone this — just using features from GitHub — please check Git History.

If you dig deeper there, you will know that mentioned actor made some mistake. We can see this here https://github.com/unhackableandy/my-awesome-site/commit/d4d664824980d04de78b6aa114f3bac6e27d59d8

Fetch the Flag CTF 2023 — Unhackable Andy — GitHub repo Image 1 - Fetch the Flag CTF 2023 — Unhackable Andy — GitHub repo

So we can see credentials. Large security issue by Unhackable Andy.

Let’s check this on actor’s site — it works fine, logged in. ✔

Here, the site is also quite simple. Endpoint /logout works like we suppose (logging out). No more interesting features there.

Fetch the Flag CTF 2023 — Unhackable Andy — site Image 2 - Fetch the Flag CTF 2023 — Unhackable Andy — site

But we can see that command ‘shutdown -r’ and btn Submit.

What if we type there something else? Is is protected? Is it safe?

Please use there: ls (https://en.wikipedia.org/wiki/Ls)
Result:

Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection Image 3 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

We are so close! * Now please just use “cat” https://en.wikipedia.org/wiki/Cat_(Unix)
so ‘cat flag.txt’:

Result — the flag:

Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection Image 4 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

  • Funny fact, this flag was achieved in literally the LAST MINUTE before the end. So exciting! 🚀

I hope you enjoy! 🍀

Note: Originally published on Medium

Best wishes,

Billboard image

Imagine monitoring that's actually built for developers

Join Vercel, CrowdStrike, and thousands of other teams that trust Checkly to streamline monitor creation and configuration with Monitoring as Code.

Start Monitoring

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay