# Metamorphosis solutions ## Category Web ## Serious Business 1 ### Difficulty Easy, 20 points ### Flag IGCTF{challenge_1_did_you_write_them_all_down!?} ### Solution Every message sent on the topic that the first website listens to contains the flag. This can just be viewed in the network tab of the in-browser debugger. Look for any request labeled `records`. The flag is in the object in the `value` field. ## Challenge 2 ### Difficulty Above average, 50 points ### Flag IGCTF{challenge2_in_case_it_wasnt_clear_I_dont_like_meetings} ### Solution Applying the solution from challenge 1 will just yield "flag already sent". This implies that we need to look at previously sent messages to get the flag. But let's take a step back first? Where are these messages coming from? The script that runs shows the creation and usage of some kind of consumer. If we look closely at the content-type, we can see `application/vnd.kafka.v2+json`. In other words, we are somehow interacting with Kafka. Kafka itself doesn't have a REST API though, which is what gets used here. A bit of googling should land you on the kafka-rest proxy. https://docs.confluent.io/platform/current/kafka-rest/index.html After learning a bit about Kafka and the REST proxy, we should be able to figure out how to adapt the existing code to read out all messages of a topic. To do so, we need to create a Kafka consumer that reads out all records from the topic from the beginning (i.e., from the first offset). In the `makeConsoomer` function, defined in `script.js`, we can see the following configuration: ```javascript let config = { name: uuid, format: "json", "auto.offset.reset": "latest", } ``` We need to change the `auto.offset.reset` field to `earliest` to properly configure the consumer to read out all records on the topic (this sets the consumer offsets to the beginning of the topic). ## Challenge 3 ### Difficulty Above average, 60 points ### Flag IGCTF{challenge_3_I_forgot_to_take_my_meds} ### Solution There is no mention of a flag in the messages consumed by the third website. We'll need to dig around the Kafka cluster a bit more to find this one. We get an interesting result when we list all topics in the cluster: ```bash curl :38082/topics # ["__confluent.support.metrics","_schemas","credentials","great.ideas","oh.no","stand.back"] ``` There is a topic called `credentials` here, which seems rather interesting. We need a consumer to subscribe to this topic. In the website's code this is done as follows: ```javascript async function subscribe(c) { return post(c + "/subscription", { topics: [TOPIC] }) } ``` If we add the `credentials` topic to that list, and call subscribe, we should also get records back from that topic. However, the flag was only published once, so just like with the previous flag, we need to reconfigure our consumer to start reading the topic from the earliest offset.