[CTT2023] Mflag — 200 pts

This one is a little harder because the code is written in Flutter.

The hint stated that the developer has already retrieved the flag but do not know how to display it.

That means the flag is not in the app but is stored on the server.

Let’s try to intercept the application and read the HTTP response from the server.

Normally, we can just add the proxy and point it to our Burp proxy. However, flutter is a non-proxy aware application which means it ignores the system proxy.

To be able to intercept, we need to set up VPN server.
For me, I created a Linux VM and set up the VPN server using this script:

GitHub - hwdsl2/setup-ipsec-vpn: Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco…

For more detail about how to set up the VPN, follow this link:

Pentesting Non-Proxy Aware Mobile Applications Without Root/Jailbreak

After we have set up a VPN and set all the routes to Burp Proxy (and set up a invisible proxy), let’s use the app again. We can see the flag in the HTTP response!

Part 1:

[CTT2023] hello flutter — 100 pts

Part 2:

[CTT2023] Show me the flag — 100 pts