A service with multiple backends. It has two vulnerabilities: a crypto vulnerability, as the crypto was implemented with [magenta crypto](https://www.schneier.com/wp-content/uploads/2016/02/paper-magenta.pdf). The second vulnerability is in holiday, in the file parsing: while the whole system supports multibyte characters, this backend reads data from file byte by byte, allowing the injection of forbidden characters, such as \n and |. This coupled with two loose parsers enables the attacker to impersonate any user, and as a consequence get the task descriptions of the game server.
For a detailed walkthrough and samples exploits, checkout [the original writeup](https://saarsec.rocks/2023/11/20/saarCTF-German-Telework.html).

Original writeup (https://saarsec.rocks/2023/11/20/saarCTF-German-Telework.html).