Tags: mercurial web 

Rating:

The full writeup for this challenge is available at [my site](https://rluo.dev/writeups/web/lactf-web-my-chemical-romance). The version available here has had images removed.
# web/my-chemical-romance | LACTF 2023

This challenge was part of LACTF 2023, where asmhole placed 33rd out of nearly 1,400 teams.

## Challenge description

>
> Author: bliutech\
> When I was... a young boy... I made a "My Chemical Romance" fanpage!\
> my-chemical-romance.lac.tf
>

## Solution

I want to preface this with the fact that I've never heard of this band. Don't get mad at me, that's just the truth. Anyway, now that you've (hopefully) gotten past that *horrifying* fact, back to the challenge.

Opening up the site, it appeared to be nothing special. However, my **ultra-mega-super-plus-hacker** senses were tinglihg. I loaded up Burp Suite, proxied the site through it, hit reload, and... voila. There it was. There was an extra header, `Source-Control-Management-Type: Mercurial-SCM` in the response.

Looking into Mercurial, I found that it's a SCM that has lost a lot of popularity. However, clients are still available, so I downloaded TortoiseHg and 'cloned' the website repo.

After cloning the site (ignoring SSL certificate checks), the flag was right there in the clear in the commit history.

**M**y **C**hemical **R**omance? More like **M**y **C**loned **R**epository!

Flag: `lactf{d0nT_6r1nk_m3rCur1al_fr0m_8_f1aSk}`

Original writeup (https://rluo.dev/writeups/web/lactf-web-my-chemical-romance).