Solving Google CTF’s Mindreader Challenge
Writeup for Google CTF's Mindreader Challenge from 2017.
The challenge is mainly based on the Path Transversal attack which is a common vulnerability in websites. The Path Transversal attack is a method of using special characters to access directories and files on a server. This method works only when the query string variables are used to access files on the server (which was the case here).
Finding the Vulnerability
Let’s start with the challenge now. This was the screen I was presented with.
Entering something random got us this.
This takes us to a 404 page, but now we have a parameter f
in the field which probably takes in a file. Let's try /etc/passwd
http://mindreader.web.ctfcompetition.com/f=/etc/passwd
Wow, that was a little too easy, but we're quite a bit away from it. The flag was not in flag.txt
, ../flag
or flag
.
But hold on... if I can read any file, it means I can read the source code too 😏 I tried a few guesses: “main.py”, “app.py”, “server.py” and voila, main.py was actually a file.
A flask webserver that reads the flag from OS environment. Also a regex that filters out the words proc, random, stdout and stderr so you can't read those. /proc/self/environ
is typically the file that shows the environment variables but due to the regex we can't access that.
The challenge has now boiled down to finding a way to access that file by bypassing the regex. Let's see if there are any Symbolic Links that map to that. Tried to check this locally on my Mac and eventually, I did notice that /dev/fd
links to /proc/self/fd
. This means I could try /dev/fd/../environ
to access /proc/self/environ
.
And boom! Here's our flag.
mindreader.web.ctfcompetition.com/?f=/dev/f..
FLAG=CTF{ee02d9243ed6dfcf83b8d520af8502e1}