CTFtime.org

Shark Facts

by arush15june / Al Capwn

Tags: web 

Rating: 5.0

We are given the challenge URL and the Flask server code. The application can be logged into using GitLab OAuth and creates a private repository containing shark facts for us under their own account with the name shark-facts-for-<username>.

After logging in, the server accepts the GitLab URL of a file to be read from the repository using the GitLab API.

![](https://arush15june.github.io/img/shark-facts-home.png)

The server code shows that if the file read contains the string blahaj is life, the flag is returned along with the file. Thus, Our goal is to fetch a file from GitLab with the contents blahaj is life.

In this challenge we can control the input URL for the file to be read and our GitLab username. The input url by default contains the path of the README.md in the repository containing the Sharky facts.

![](https://arush15june.github.io/img/shark-facts-server.png)

The server code accepted the URL and verified it to be a part of the repository created by the server, thus you cannot pass your own public repositories and the file has to be present in the SharkFacts repository. The URL is checked to be of the form https://gitlab.com/sharkfacts/shark-facts-for-<username>/-/blob/main/<filename> and everything beyond /blob/main is passed into the request URL.

Request URL is generated as: https://gitlab.com/api/v4/projects/<project_name>/repository/files/<filename>/raw?ref=main

The GitLab Files API accepts the repository ref from which to fetch the file from. We can form the input URL in such a way to control the ref to be used.

```
filename: README.md/raw?ref=<commit-id>&
final generated URL: https://gitlab.com/api/v4/projects/shark-facts-for-<username>/repository/files/README.md/raw?ref=<commit-id>&/raw?ref=main
```

This final URL allows us to fetch from any ref in the Git repository tree. We do not have write permissions in the GitLab repository but we can create a fork and open a merge request. This creates a branch with our file containing blahaj is life whose commit id we can copy. Submitting the filename with the commit id gives us the flag.

![](https://arush15june.github.io/img/shark-facts-flag.png)

```
https://gitlab.com/sharkfacts/shark-facts-for-arush15june/-/blob/main/README.md/raw?ref=03f8358719a72efc7c8ed702bc3ddfacfd843231&
```

Flag: flag{Shark Fact #81: 97 Percent of all sharks are completely harmless to humans}

Original writeup (https://arush15june.github.io/posts/2020-11-09-csaw-ctf-finals-2020-writeup/).

Comments