COMPFEST CTF 2023 - COMPaste

Description

Category: Misc

Obligatory pastebin clone. But people said that Python is slow, so I made the I/O in C! Now it is blazingly fast!

The admin have the following this sticky note:

/app/files # ls B1NHZ27SVYV6IJQMD25OT6Y4BPGQ9UID.txt flag*
B1NHZ27SVYV6IJQMD25OT6Y4BPGQ9UID.txt  flag                                  flag.txt
/app/files # 

Author: rorre

http://34.101.68.243:10010/

Resolution

1. Overview

The webapp allows us to read any notes on the server.

Every note is a .txt file. When we want to see a note knowing its Note ID, the backend will add .txt at then end of the Note ID and open that file.

Our goal is to read flag but when we ask the webapp to display it, it will instead display the file flag.txt.

2. Null-byte injection

The most important hint from the description is I made the I/O in C.

In C, a string is an array which contains characters and most importantly the null byte \x00 to specify the end of the string even if there are still some characters after the null byte.

So we can ask the webapp for the file flag\x00 and the server will return the file named flag\x00.txt which will be interpreted as flag. (Null-byte injection)

We can inject the null byte in the url with %00: http://34.101.68.243:10010/view?id=flag%00

Which gives us the flag: COMPFEST15{NULL_4nD_C_Str1nG_0914ebf8ea280}.