I made a little leaderboard listy app, it’s a bit rough so please don’t judge me too harshly.
The website provided appears to be made with Next.js. The main page simply reports a ranking table. Looking through the main.js chunk, its noted that an /api/list endpoint exists. There is a /robots.txt that discloses a /dev route that mentions the following sourcehut todo tickets:
Two of the most recent tickets have comments. One includes a link to a listy development sourcehut repo. The repo is visited and cloned.
In the repo there is an invoke.sh file.
#!/bin/bash # Ansible-Vault unlock the gcloud credential CRED=$(ansible-vault decrypt vault.txt --output /tmp/key.json) gcloud auth activate-service-account email@example.com '--key-file=/tmp/key.json' rm /tmp/key.json curl -H "Authorization: bearer $(gcloud auth print-identity-token)" https://us-central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-leaderboard-prod
The shell script is loading a credential from a ansible-vault file and uses it to auth against a google cloud servce. It then pulls from a bucket. From the #4 ticket comment, the ansible-vault decryption key is disclosed.
From the git commits (accessed using
git log in the repo root), the email is firstname.lastname@example.org. This email is used to decrypt the vault and the key.json file is dumped.
The curl command is copied and a JSON object is retrieved from the bucket which reflects the production table from the Next.js app. At this point, its probably pretty clear to just replace ssctf22-listy-leaderboard-prod bucket with ssctf22-listy-leaderboard-dev, but I go ahead an pull all the buckets from the active ctf project.
The dev bucket is accessed and the flag is obtained.