RC3 CTF 2016: Who’s a Good Boy? (100 points)

Description

Who’s a good boy?
100

You’re trying to see the cute dog pictures on ctf.rc3.club. But every time you click on one of them, it brings you to a bad gateway.

https://ctf.rc3.club:3000/

— Your friendly neighborhood webadmin

Solution

Let’s start by having a look at the website at the URL given in the description (https://ctf.rc3.club:3000/). At first sight, it seems to only load the same picture, repeating the pattern below:

<h1>888 Who's a Good Dogeway</h1>
<img
src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">
<h4> Is it just me</h4> 
<img class="why hello there"
src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">
<h4> or are you also</p> 
<img class="try not to get too distracted"
src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">
<h4> seeing things?</p> 
<img class="or infuriated"
src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">
<h4> at least this isn't</p>

<h1>888 Who's a Good Dogeway</h1>

<img

src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">

<img class="why hello there"

src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">

<img class="try not to get too distracted"

src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">

<h4> seeing things?</p>

<img class="or infuriated"

src="http://admissions.vanderbilt.edu/insidedores/manage/wp-content/uploads/doge-pattern-27481-2880x1800.jpg">

<h4> at least this isn't</p>

Then, I saw that another image was requested through an additional GET request to the following URL:

http://admissions.vanderbilt.edu/insidedores/doge/this-aint-the-RC3-flag-we're-getting-there-though.jpg

1	http://admissions.vanderbilt.edu/insidedores/doge/this-aint-the-RC3-flag-we're-getting-there-though.jpg

As it said that “we’re getting there”, I first thought there would have been something on the other end of the link, which turned out to be a WordPress website. On second thought, this was outside the scope of the CTF environment, so hacking into there might not be a good idea.

Another look at the homepage showed the first part of the page looked like this:

<html>
<head><title>502 Bad Dogeway</title>
<link rel="stylesheet" href="doge.css"/>
</head>

<html>

<head><title>502 Bad Dogeway</title>

</head>

If there was something on the page itself, it must be in the doge.css file that’s referenced here.

Let’s have a look at the file at https://ctf.rc3.club:3000/doge.css. The last part of the CSS file contained the following:

.philarydufflebag{
 
/*hiya*/
/*compress your frontend*/
/*here's a flag :)*/
flag:RC3-2016-CanineSS
}

.philarydufflebag{

/*hiya*/

/*compress your frontend*/

/*here's a flag :)*/

flag:RC3-2016-CanineSS

}

Gotcha! The flag is RC3-2016-CanineSS.

Lessons learned from this challenge: never skip the obvious.

Leave a Comment Cancel reply