35C3 Junior

Lower difficulty version of the CTF held during the 35th Chaos Communication Congress in Leipzig

December 27 - December 29 2018

35C3 Junior

The holidays left me only a little time to play with this CTF, and I opted for the Junior version running concurrently with the main 35C3. As a result I only had one challenge solved for this one, but it was a nice to have a new variation on a vulnerability I had encountered before: path traversal.

Flags (Web)

Fun with flags: http://35.207.132.47:84
Flag is at /flag

As I recall, the webpage displayed a collage of national flags. I started by looking at the web inspector (and possibly Burp?), and saw that the code was grabbing the language from the header in order to get the flag file to display (en-US or ot). I quickly figured out that it was filtering the flag file location information by replacing “../” with “”, thus thwarting any trivial attempts at path traversal. I tried hex and other encodings to circumvent the filter without success. The filter, however, was only making one pass, so I decided to let it do its job but leave me with the traversal I needed by using ….//. The ../ gets removed from the middle of ….// and leaves ../ behind. From there it was just a matter of traversing enough directories to get to /flag (which I didn’t record).

FINAL RESULTS

Final Score: 37/???
Final Rank: 504 out of 520