This past weekend Google held the qualification round for its third annual Capture the Flag competition, with 25 demanding challenges in categories ranging from cryptography to web to binary exploits. While my skillset goes nowhere near close to that of the talented teams participating from all over the world, I had some time to try my hand at one of the web challenges, Cat Chat, and wanted to document my approach. In my opinion, CTFs can be a great learning experience and taking a stab at some challenges as well as reading people’s write-ups after can be great for becoming a better engineer.
This challenge wasn’t trivial, but in the end I was able to get the flag:
Read on to find out how!
Cat Chat reminded me of IRC hacking challenges popular a decade ago, like the ones on HackThisSite. I’ll let the screenshot speak for itself, but the premise is that there’s a chat app run by someone bent against canines, and the goal is to (surprise!) steal the admin’s credentials to get the flag.
Reading over the preface, it looks like we get access to the Express server’s source code! And naturally we have access to the client’s source as well. In general with these types of challenges, an effective approach is to first explore the app itself, and then do a code review and spot any weaknesses that may have been (usually intentionally) introduced. [I’ll denote those with a 🚩.]
To start things off, we can change our name 🚩 to anything, so why not do the quick-n-dirty inline script test?
Unfortunately, no dice — the input is escaped.
Moving on, the admin really, really hates dogs. As a test, let’s see what happens when we join the same room as another user (i.e., in an…