Logo

dev-resources.site

for different kinds of informations.

CTF Writeup β€” Fetch the Flag CTF 2023 β€” Unhackable Andy

Published at
11/15/2023
Categories
ctf
cybersecurity
ctfwriteup
itsecurity
Author
Michal Biesiada
Main Article
https://dev.to/mbiesiad/ctf-writeup-fetch-the-flag-ctf-2023-unhackable-andy-2a5o
Categories
4 categories in total
ctf
open
cybersecurity
open
ctfwriteup
open
itsecurity
open
CTF Writeup β€” Fetch the Flag CTF 2023 β€” Unhackable Andy

Hi All,

It is connected with OSINT at start, and Command Injection at the end. ✨

Description of the challenge: β€œSomeone might want to let ol’ Andy know the old addage β€” pride goeth before the fall.” β€” source: https://snyk.ctf.games/challenges β€” Unhackable Andy

That’s all. Now we have to visit some site: http://challenge.ctf.games:30900/

Site is quite simply. There are two options β€” Home and Login.

Referring to my last notices: CTRL+U & F12 are clear. πŸŽ‰

β€˜Home’ gives the same site of course, β€˜Login’ gives Login panel. At the main site there is pinned GH GitHub profile of mentioned creator (β€œUnhackable Andy”; by the way, text there is quite funny β€” great job!). Let’s take a look there. https://github.com/UnhackableAndy

There we can see two repos: β€˜my-awesome-site’ and β€˜my-other-awesome-site’.
Interesting, right? We even don’t have to fork or clone this β€” just using features from GitHub β€” please check Git History.

If you dig deeper there, you will know that mentioned actor made some mistake. We can see this here https://github.com/unhackableandy/my-awesome-site/commit/d4d664824980d04de78b6aa114f3bac6e27d59d8

Fetch the Flag CTF 2023 β€” Unhackable Andy β€” GitHub repo Image 1 - Fetch the Flag CTF 2023 β€” Unhackable Andy β€” GitHub repo

So we can see credentials. Large security issue by Unhackable Andy.

Let’s check this on actor’s site β€” it works fine, logged in. βœ”

Here, the site is also quite simple. Endpoint /logout works like we suppose (logging out). No more interesting features there.

Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site Image 2 - Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site

But we can see that command β€˜shutdown -r’ and btn Submit.

What if we type there something else? Is is protected? Is it safe?

Please use there: ls (https://en.wikipedia.org/wiki/Ls)
Result:

Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site β€” Command Injection Image 3 - Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site β€” Command Injection

We are so close! * Now please just use β€œcat” https://en.wikipedia.org/wiki/Cat_(Unix)
so β€˜cat flag.txt’:

Result β€” the flag:

Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site β€” Command Injection Image 4 - Fetch the Flag CTF 2023 β€” Unhackable Andy β€” site β€” Command Injection

  • Funny fact, this flag was achieved in literally the LAST MINUTE before the end. So exciting! πŸš€

I hope you enjoy! πŸ€

Note: Originally published on Medium

Best wishes,

Articles
4 articles in total
Favicon
CTF Writeup β€” Hackme CTF
Favicon
CTF Writeup β€” pingCTF 2021 β€” Steganography
Favicon
CTF Writeup β€” Fetch the Flag CTF 2023 β€” Unhackable Andy
Favicon
I’ve completed the Hacktoberfest challenge!

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech