COMPFEST CTF 2023 - COMPaste
Description
Category: Misc
Obligatory pastebin clone. But people said that Python is slow, so I made the I/O in C! Now it is blazingly fast!
The admin have the following this sticky note:
1 2 3 /app/files # ls B1NHZ27SVYV6IJQMD25OT6Y4BPGQ9UID.txt flag* B1NHZ27SVYV6IJQMD25OT6Y4BPGQ9UID.txt flag flag.txt /app/files #Author: rorre
Resolution
1. Overview
The webapp allows us to read any notes on the server.
Every note is a .txt
file.
When we want to see a note knowing its Note ID
, the backend will add .txt
at then end of the Note ID
and open that file.
Our goal is to read flag
but when we ask the webapp to display it, it will instead display the file flag.txt
.
2. Null-byte injection
The most important hint from the description is I made the I/O in C
.
In C, a string is an array which contains characters and most importantly the null byte \x00
to specify the end of the string even if there are still some characters after the null byte.
So we can ask the webapp for the file flag\x00
and the server will return the file named flag\x00.txt
which will be interpreted as flag
. (Null-byte injection)
We can inject the null byte in the url with %00
:
http://34.101.68.243:10010/view?id=flag%00
Which gives us the flag: COMPFEST15{NULL_4nD_C_Str1nG_0914ebf8ea280}
.