CTF Writeup — Fetch the Flag CTF 2023 — Unhackable Andy
Hi All,
It is connected with OSINT at start, and Command Injection at the end. ✨
Description of the challenge: “Someone might want to let ol’ Andy know the old addage — pride goeth before the fall.” — source: https://snyk.ctf.games/challenges — Unhackable Andy
That’s all. Now we have to visit some site: http://challenge.ctf.games:30900/
Site is quite simply. There are two options — Home and Login.
Referring to my last notices: CTRL+U & F12 are clear. 🎉
‘Home’ gives the same site of course, ‘Login’ gives Login panel. At the main site there is pinned GH GitHub profile of mentioned creator (“Unhackable Andy”; by the way, text there is quite funny — great job!). Let’s take a look there. https://github.com/UnhackableAndy
There we can see two repos: ‘my-awesome-site’ and ‘my-other-awesome-site’.
Interesting, right? We even don’t have to fork or clone this — just using features from GitHub — please check Git History.
If you dig deeper there, you will know that mentioned actor made some mistake. We can see this here https://github.com/unhackableandy/my-awesome-site/commit/d4d664824980d04de78b6aa114f3bac6e27d59d8