DEV Community

Michal Biesiada
Michal Biesiada

Posted on

CTF Writeup — Fetch the Flag CTF 2023 — Unhackable Andy

Hi All,

It is connected with OSINT at start, and Command Injection at the end. ✨

Description of the challenge: “Someone might want to let ol’ Andy know the old addage — pride goeth before the fall.” — source: https://snyk.ctf.games/challengesUnhackable Andy

That’s all. Now we have to visit some site: http://challenge.ctf.games:30900/

Site is quite simply. There are two options — Home and Login.

Referring to my last notices: CTRL+U & F12 are clear. 🎉

Home’ gives the same site of course, ‘Login’ gives Login panel. At the main site there is pinned GH GitHub profile of mentioned creator (“Unhackable Andy”; by the way, text there is quite funny — great job!). Let’s take a look there. https://github.com/UnhackableAndy

There we can see two repos: ‘my-awesome-site’ and ‘my-other-awesome-site’.
Interesting, right? We even don’t have to fork or clone this — just using features from GitHub — please check Git History.

If you dig deeper there, you will know that mentioned actor made some mistake. We can see this here https://github.com/unhackableandy/my-awesome-site/commit/d4d664824980d04de78b6aa114f3bac6e27d59d8

Fetch the Flag CTF 2023 — Unhackable Andy — GitHub repo Image 1 - Fetch the Flag CTF 2023 — Unhackable Andy — GitHub repo

So we can see credentials. Large security issue by Unhackable Andy.

Let’s check this on actor’s site — it works fine, logged in. ✔

Here, the site is also quite simple. Endpoint /logout works like we suppose (logging out). No more interesting features there.

Fetch the Flag CTF 2023 — Unhackable Andy — site Image 2 - Fetch the Flag CTF 2023 — Unhackable Andy — site

But we can see that command ‘shutdown -r’ and btn Submit.

What if we type there something else? Is is protected? Is it safe?

Please use there: ls (https://en.wikipedia.org/wiki/Ls)
Result:

Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection Image 3 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

We are so close! * Now please just use “cat” https://en.wikipedia.org/wiki/Cat_(Unix)
so ‘cat flag.txt’:

Result — the flag:

Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection Image 4 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

  • Funny fact, this flag was achieved in literally the LAST MINUTE before the end. So exciting! 🚀

I hope you enjoy! 🍀

Note: Originally published on Medium

Best wishes,

Top comments (0)