Breaking the CTF framework - CSAW 2015 web 600 writeup

Sep 21, 2015 • webchallenges, ctf-web

Well, after I saw the challenge for the first time, I was like “dafaq! Should we find a zero day in CSAW CTF Framework now ?”. I immediately searched their framework source code hoping it to be open sourced and I was correct. I got the source code from their github and now what ? Its hell long and I don’t wanna sit and read the entire thing so I looked into the issues and recent commits. I was damn sure that this has to do something with a recent commit. Then one of the commits got my attention: commit

And the commit msg was: Fix authentication for certain admin actions. That itself is suspicious right ? Well atleast to me it was. So here is an interesting part of the code:

@admin.route('/admin/chal/new', methods=['POST'])
@admins_only
def admin_create_chal():
    files = request.files.getlist('files[]')
    # Create challenge
    chal = Challenges(request.form['name'], request.form['desc'], request.form['value'], request.form['category'])
    db.session.add(chal)
    db.session.commit()

Well, lets visit the URL and I got a message saying Method not Allowded and I didn’t get redirected to a login page ~! Strange isn’t it ? For any of the URL other than the 3 URL’s, if we try to access /admin/ its gonna redirect you to login but not this, interesting ! Lets try giving other types of requests then. So I fired up the python terminal and did a post request, and there is the flag in the response !

import requests

req = requests.post(https://ctf.isis.poly.edu/admin/chal/delete)
req.text

Now that was a pretty easy challenge. :)

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE