Solving Google CTF’s Mindreader Challenge

Solving Google CTF’s Mindreader Challenge

Writeup for Google CTF's Mindreader Challenge from 2017.

The challenge is mainly based on the Path Transversal attack which is a common vulnerability in websites. The Path Transversal attack is a method of using special characters to access directories and files on a server. This method works only when the query string variables are used to access files on the server (which was the case here).

Finding the Vulnerability

Let’s start with the challenge now. This was the screen I was presented with.

Entering something random got us this.

This takes us to a 404 page, but now we have a parameter f in the field which probably takes in a file. Let's try /etc/passwd

http://mindreader.web.ctfcompetition.com/f=/etc/passwd

Wow, that was a little too easy, but we're quite a bit away from it. The flag was not in flag.txt, ../flag or flag.

But hold on... if I can read any file, it means I can read the source code too 😏 I tried a few guesses: “main.py”, “app.py”, “server.py” and voila, main.py was actually a file.

A flask webserver that reads the flag from OS environment. Also a regex that filters out the words proc, random, stdout and stderr so you can't read those. /proc/self/environ is typically the file that shows the environment variables but due to the regex we can't access that.

The challenge has now boiled down to finding a way to access that file by bypassing the regex. Let's see if there are any Symbolic Links that map to that. Tried to check this locally on my Mac and eventually, I did notice that /dev/fd links to /proc/self/fd. This means I could try /dev/fd/../environ to access /proc/self/environ.

And boom! Here's our flag.
mindreader.web.ctfcompetition.com/?f=/dev/f..

FLAG=CTF{ee02d9243ed6dfcf83b8d520af8502e1}

Did you find this article valuable?

Support Ananay Arora by becoming a sponsor. Any amount is appreciated!