Want to know whether the challenge is down or it’s just your network down? Want to know who to send a message when you want to contact an admin of some challenges? Take a look at our “fastest” Health Check API in the world!
Warning: Do not violate our CTF rules.
Under the provided link, we just see a hello world message in json.
Gobuster finds a
/docs endpoint. Navigating to it reveals documentation about more endpoints:
So it seems we found a way to upload a zipfile containing a
run executable. There is a process that executes it in a 30 second interval. The executable is expected to create a
status.json file, where
run is expected to store some results in. When uploading zip file, we receive the name it is stored under. Using the second endpoint, we can request the respective json of the commands we run from the uploaded zip.
So seems like we got command execution and a way of checking what our commands do. Let’s try it.
I am creating a shell script containing the command i want to run:
pwd > ./status.json
ls ../.. (note that flag1.py is interesting for us; flag2 is for a different challenge):
ls -la ../... Looks like we do not have read permission to the
__pycache__ folder, maybe we can read the compiled version of the script instead of the script itself. Let’s see what’s in there with
Finally, at 3:30 in the morning, 27 minutes before the CTF ended, I managed to get the flag with
I did not get a reverse shell solution working during the CTF unfortunately. The way I did it was very laborious, crafting each zip file seperately, uploading it and waiting for execution. Also for commands that resulted in an error, I did not get a result in the status.json at all, making my solution very tedious.
A reverse shell would have been the much better way. Some people on the BALSNCTF discord shared their solution. Here is a code snippet from a C script. When compiled as
run and uploaded inside a zip, a reverse shell should be obtained. I tried it today where CTF is over, but I think they disabled the processes running the executables already.