I did not get much time to play this CTF but within the time frame, CoinGame was one of the challenges which I was able to solve. This challenge had comparatively lesser solves than other web challenges but was easy.
Challenge link :
So about this challenge, we get a welcome page wherein it is written
and a textbox wherein we can give url’s (hopefully).
The source code revealed nothing. But after giving
google.com in the textbox, we were able to notice a particular request being set and showing us a page with response status
302. The URL was perfect enough to understand what it was, LFI.
The very next step was to see what is inside
http://coingame.challs.malice.fr/curl.php?way=../../../etc/passwd reveals nothing but,
http://coingame.challs.malice.fr/curl.php?way=file:///etc/passwd gave us the list of every registered user that has access to that system.
One particular thing that caught in my mind was tftp. Since the challenge description had mentioned a game, I quickly googled and got the link to the same repo.
Since the file names were there, I quickly tried to see if the files that exist in the challenge server are the same. I then gave in
http://coingame.challs.malice.fr/curl.php?way=file:///home/CoinGame/Bonus.py which gave me the
I assumed that all the other challenge file names would be the same and we have to only find the files which are altered by the admin of the challenge. I was quickly going through the files in the github repo and found that there were a lot of files and manually fetching would be cumbersome.
So with the help of my team mate,
dnvira, we got a script which would actually wget the entire files and subdirectories.
Comparing the hashes of the cloned repo and the one we got from the challenge server gave us a few files being differentiate from others. I was going through a few of them and apparently a few images in
gameAnimationImages had flag written at the bottom end.
There were two places wherein I was stuck. One was using
tftp which would have been a way to proceed further and the next one, fetching all the files. Apparently the former one was where I was stuck for long time.
Reach me out on Twitter.