Google CTF Competition 2018: Cat Chat

This past weekend Google held the qualification round for its third annual Capture the Flag competition, with 25 demanding challenges in categories ranging from cryptography to web to binary exploits. While my skillset goes nowhere near close to that of the talented teams participating from all over the world, I had some time to try my hand at one of the web challenges, Cat Chat, and wanted to document my approach. In my opinion, CTFs can be a great learning experience and taking a stab at some challenges as well as reading people’s write-ups after can be great for becoming a better engineer.

This challenge wasn’t trivial, but in the end I was able to get the flag:

Read on to find out how!

Starting Out

Cat Chat reminded me of IRC hacking challenges popular a decade ago, like the ones on HackThisSite. I’ll let the screenshot speak for itself, but the premise is that there’s a chat app run by someone bent against canines, and the goal is to (surprise!) steal the admin’s credentials to get the flag.

Sprinkle on a sidebar and some emojis, and you’ll have Slack. :)

Reading over the preface, it looks like we get access to the Express server’s source code! And naturally we…