Santa keeps track of your wishes. So he prepared something special for the last day. At this point, he would also like to thank all of the sponsors and you as community supporters!
Stay safe! Keep h@ck1ng and R0ck1ng! https://last.owasp.si/
Sorry to disappoint, but I used likely unintended solution. However, I did not know what is the intended solution, so ¯\_(ツ)_/¯
We are presented with index.html with only a left part of the image with printed beginning of the flag ctf{lastBu. It was worth trying ctf{lastButNotLeast} and ctf{lastButTheBest} but they were incorrect.
The right part of the image is said to be hosted on http://65.108.146.8/right.png. However, if you try to open it, it will show you the standard 403 Forbidden nginx page.
Seems like the challenge was about bypassing some IP address protection, and to get the flag, we need somehow to exploit the application. One of the interesting endpoints I discovered was /error:
Google this error message, and you realize that we are dealing with the application based on Spring Boot framework.
What I tried at this point without any result:
- Enumerate application endpoints with ffuf and a decent wordlist.
- Bypass IP address protection with
X-Forwarded-ForHTTP headers and alike. - Nginx LFI via path traversal, see blog post in attempt to leak application source code.
- Since the application is written in Java, there is a chance it is vulnerable to recent log4j vulnerability.
Suddenly, I recalled that in Day 3 we had an application with wide possibilities, including RCE. naughty.owasp.si was hosted on the same server as last.owasp.si, therefore IP address matched.
The solution was as easy as running remotely:
curl -s http://65.108.146.8/right.png 2>&1 | base64
and decoding it with:
$ ./solution.py | base64 -d > right.png
The full flag is therefore:
ctf{lastBuThankYouForPlaying}
If you know how this challenge was supposed to be solved, please let me know.