Author: argot
Pub: 2022-11-21
256 words


I made a little leaderboard listy app, it’s a bit rough so please don’t judge me too harshly.


The website provided appears to be made with Next.js. The main page simply reports a ranking table. Looking through the main.js chunk, its noted that an /api/list endpoint exists. There is a /robots.txt that discloses a /dev route that mentions the following sourcehut todo tickets:

Todo Tickets

Two of the most recent tickets have comments. One includes a link to a listy development sourcehut repo. The repo is visited and cloned.

Dev Repo

In the repo there is an file.


# Ansible-Vault unlock the gcloud credential
CRED=$(ansible-vault decrypt vault.txt --output /tmp/key.json)

gcloud auth activate-service-account '--key-file=/tmp/key.json'

rm /tmp/key.json

curl -H "Authorization: bearer $(gcloud auth print-identity-token)"\?bucket\=ssctf22-listy-leaderboard-prod


The shell script is loading a credential from a ansible-vault file and uses it to auth against a google cloud servce. It then pulls from a bucket. From the #4 ticket comment, the ansible-vault decryption key is disclosed.

Vault Key

From the git commits (accessed using git log in the repo root), the email is This email is used to decrypt the vault and the key.json file is dumped.


The curl command is copied and a JSON object is retrieved from the bucket which reflects the production table from the Next.js app. At this point, its probably pretty clear to just replace ssctf22-listy-leaderboard-prod bucket with ssctf22-listy-leaderboard-dev, but I go ahead an pull all the buckets from the active ctf project.


The dev bucket is accessed and the flag is obtained.