Listy

Challenge

I made a little leaderboard listy app, it’s a bit rough so please don’t judge me too harshly.

https://listy-web-u7jl3ge7qa-uc.a.run.app/

Enumeration

The website provided appears to be made with Next.js. The main page simply reports a ranking table. Looking through the main.js chunk, its noted that an /api/list endpoint exists. There is a /robots.txt that discloses a /dev route that mentions the following sourcehut todo tickets:

https://todo.sr.ht/~listy

Two of the most recent tickets have comments. One includes a link to a listy development sourcehut repo. The repo is visited and cloned.

In the repo there is an invoke.sh file.

#!/bin/bash

# Ansible-Vault unlock the gcloud credential
CRED=$(ansible-vault decrypt vault.txt --output /tmp/key.json)

gcloud auth activate-service-account listy-developer@sunshine-2022-challenges.iam.gserviceaccount.com '--key-file=/tmp/key.json'

rm /tmp/key.json

curl -H "Authorization: bearer $(gcloud auth print-identity-token)" https://us-central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-leaderboard-prod

Solution

The shell script is loading a credential from a ansible-vault file and uses it to auth against a google cloud servce. It then pulls from a bucket. From the #4 ticket comment, the ansible-vault decryption key is disclosed.

From the git commits (accessed using git log in the repo root), the email is dev@listy.com. This email is used to decrypt the vault and the key.json file is dumped.

The curl command is copied and a JSON object is retrieved from the bucket which reflects the production table from the Next.js app. At this point, its probably pretty clear to just replace ssctf22-listy-leaderboard-prod bucket with ssctf22-listy-leaderboard-dev, but I go ahead an pull all the buckets from the active ctf project.

The dev bucket is accessed and the flag is obtained.