ig-ctf-solutions/write-ups-challenges-2023-2024
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
write-ups-challenges-2023-2024/serious_business/SOLUTION.md
rdegreef 7e677ee86c intitial commit
2023-11-28 16:24:59 +01:00

61 lines
2.9 KiB
Markdown
Raw Permalink Blame History

# Metamorphosis solutions
## Category
Web
## Serious Business 1
### Difficulty
Easy, 20 points
### Flag
IGCTF{challenge_1_did_you_write_them_all_down!?}
### Solution
Every message sent on the topic that the first website listens to contains the flag. This can just be viewed in the network tab of the in-browser debugger. Look for any request labeled `records`. The flag is in the object in the `value` field.
## Challenge 2
### Difficulty
Above average, 50 points
### Flag
IGCTF{challenge2_in_case_it_wasnt_clear_I_dont_like_meetings}
### Solution
Applying the solution from challenge 1 will just yield "flag already sent". This implies that we need to look at previously sent messages to get the flag. But let's take a step back first? Where are these messages coming from?
The script that runs shows the creation and usage of some kind of consumer. If we look closely at the content-type, we can see `application/vnd.kafka.v2+json`. In other words, we are somehow interacting with Kafka. Kafka itself doesn't have a REST API though, which is what gets used here. A bit of googling should land you on the kafka-rest proxy. https://docs.confluent.io/platform/current/kafka-rest/index.html
After learning a bit about Kafka and the REST proxy, we should be able to figure out how to adapt the existing code to read out all messages of a topic. To do so, we need to create a Kafka consumer that reads out all records from the topic from the beginning (i.e., from the first offset).
In the `makeConsoomer` function, defined in `script.js`, we can see the following configuration:
```javascript
let config = {
name: uuid,
format: "json",
"auto.offset.reset": "latest",
}
```
We need to change the `auto.offset.reset` field to `earliest` to properly configure the consumer to read out all records on the topic (this sets the consumer offsets to the beginning of the topic).
## Challenge 3
### Difficulty
Above average, 60 points
### Flag
IGCTF{challenge_3_I_forgot_to_take_my_meds}
### Solution
There is no mention of a flag in the messages consumed by the third website. We'll need to dig around the Kafka cluster a bit more to find this one.
We get an interesting result when we list all topics in the cluster:
```bash
curl <IP>:38082/topics
# ["__confluent.support.metrics","_schemas","credentials","great.ideas","oh.no","stand.back"]
```
There is a topic called `credentials` here, which seems rather interesting.
We need a consumer to subscribe to this topic. In the website's code this is done as follows:
```javascript
async function subscribe(c) {
return post(c + "/subscription", {
topics: [TOPIC]
})
}
```
If we add the `credentials` topic to that list, and call subscribe, we should also get records back from that topic. However, the flag was only published once, so just like with the previous flag, we need to reconfigure our consumer to start reading the topic from the earliest offset.
Reference in New Issue View Git Blame Copy Permalink