Rating:

A service with multiple backends. It has two vulnerabilities: a crypto vulnerability, as the crypto was implemented with magenta crypto. The second vulnerability is in holiday, in the file parsing: while the whole system supports multibyte characters, this backend reads data from file byte by byte, allowing the injection of forbidden characters, such as \n and |. This coupled with two loose parsers enables the attacker to impersonate any user, and as a consequence get the task descriptions of the game server. For a detailed walkthrough and samples exploits, checkout the original writeup.

Original writeup (https://saarsec.rocks/2023/11/20/saarCTF-German-Telework.html).