- Author: Roman Opyakin (Sinketsu)
- Language: Go
According to legend it is a backend GRPC API for registering users and teams to play CTF.
- Protobuf + GRPC
- Redis + lua scripts
docker-compose up -d --build
-
Bad validation on
authorization
header.In auth.go we have:
auth := authHeader[0] idx := strings.LastIndex(auth, ":") token := auth[idx+1:] login := auth[:idx]
But in server.go we have:
func (s *Server) GetUsername(ctx context.Context) string { ... auth := authHeader[0] authData := strings.Split(auth, ":") return authData[0] }
So, we can register user with name like
flagUser:<somestring>
and get flags as userflagUser
-
Predictable join token.
In create_team.lua we have:
local time = redis.pcall('TIME') math.randomseed(time[1]) local rnd = math.random() local join_token = redis.sha1hex(rnd)
Random generator seeds by current time. According to this,
TIME
function in redis returns array[<unix time in seconds>, <microseconds>]
. So, if we now the timestamp of team creation we can generate the same join token. Timestamp of creation we have from/Events
stream in API.