Skip to content

Latest commit

 

History

History

gorepick

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
checker
checker
 
 
service
service
 
 
sploits
sploits
 
 
README.md
README.md
 
 

README.md

GoRePiCk

  • Author: Roman Opyakin (Sinketsu)
  • Language: Go

Description

According to legend it is a backend GRPC API for registering users and teams to play CTF.

  • Protobuf + GRPC
  • Redis + lua scripts

Deploy

docker-compose up -d --build

Vulns

  1. Bad validation on authorization header.

    In auth.go we have:

    auth := authHeader[0]
idx := strings.LastIndex(auth, ":")
token := auth[idx+1:]
login := auth[:idx]

    But in server.go we have:

    func (s *Server) GetUsername(ctx context.Context) string {
	...
	auth := authHeader[0]
	authData := strings.Split(auth, ":")

	return authData[0]
}

    So, we can register user with name like flagUser:<somestring> and get flags as user flagUser

    Exploit

  2. Predictable join token.

    In create_team.lua we have:

    local time = redis.pcall('TIME')
math.randomseed(time[1])
local rnd = math.random()
local join_token = redis.sha1hex(rnd)

    Random generator seeds by current time. According to this, TIME function in redis returns array [<unix time in seconds>, <microseconds>]. So, if we now the timestamp of team creation we can generate the same join token. Timestamp of creation we have from /Events stream in API.

    Exploit