bookmark_borderCCTF4 Hacktivity Writeups 2.

Don’t be eval

The task was to somehow break a specified website. The HTML markup of the website contained the text “Figwheel”. A quick web search will reveal that Figwheel is a software package for developing websites — live¹ — in the Clojure programming language.

On the website, the only item of interest was the link anchored to the text “do you even REPL, bro?”: the URL contained an argument of “(cons 1 2)”, which looks like Clojure code (a lot like Lisp). Along with the challenge’s name of “Don’t be eval”, these all gave the suggestion that the web request’s single parameter was taken as Clojure code to be evaluated, and indeed it was.

Clojure has access to the full Java ecosystem, including IO functions. By sending in appropriate code snippets (in the URL parameter), it was possible to list the contents of the current directory; it contained a file called “flag.txt”. Then that file could be printed, which contained the flag.

¹ to get a feel for what raz, the creator of this challenge, does for a living, see https://www.youtube.com/watch?v=XSIy8gmjmgY#t=1204s

Author: Mr. SI

Pwncoin challenge

For this challenge, a host was specified, and it was suggested that one ought to use Netcat. It was also blatantly stated that one should try overflowing the “meaning of life” (i.e. 42). The solution was to send an arbitrary string exactly of length 43 (not more, which might be weird, but is realistic), over a plain TCP connection; this revealed the flag.

On top of that — and this is something that even the creator of this challenge didn’t think about —, one could discover that the service served at most 1 client at a time, denying other connections while one is open. This permitted a shrewd contestant to prevent other contestants from even attempting to solve this challenge thereafter, by leaving a connection to the server hanging without submitting anything — it wasn’t me! :trollface.jpg:

Note from six for this solution: it was a wargame! 🙂

Author: SI

Thank you SI for submitting the writeups!