NuitDuHack 2018 CoinGame
I did not get much time to play this CTF but within the time frame, CoinGame was one of the challenges which I was able to solve. This challenge had comparatively lesser solves than other web challenges but was easy.
Challenge link : http://coingame.challs.malice.fr/
Points: 200
So about this challenge, we get a welcome page wherein it is written CURL service
![](../assets/nuitduhack/HomeScreen.png)
and a textbox wherein we can give url’s (hopefully).
![](../assets/nuitduhack/cURL_request.png)
The source code revealed nothing. But after giving google.com
in the textbox, we were able to notice a particular request being set and showing us a page with response status 302
. The URL was perfect enough to understand what it was, LFI.
![](../assets/nuitduhack/url.png)
The very next step was to see what is inside /etc/passwd
. http://coingame.challs.malice.fr/curl.php?way=../../../etc/passwd
reveals nothing but, http://coingame.challs.malice.fr/curl.php?way=file:///etc/passwd
gave us the list of every registered user that has access to that system.
![](../assets/nuitduhack/etc.png)
One particular thing that caught in my mind was tftp. Since the challenge description had mentioned a game, I quickly googled and got the link to the same repo.
Since the file names were there, I quickly tried to see if the files that exist in the challenge server are the same. I then gave in http://coingame.challs.malice.fr/curl.php?way=file:///home/CoinGame/Bonus.py
which gave me the Bonus.py
file.
![](../assets/nuitduhack/coingamedir.png)
I assumed that all the other challenge file names would be the same and we have to only find the files which are altered by the admin of the challenge. I was quickly going through the files in the github repo and found that there were a lot of files and manually fetching would be cumbersome.
So with the help of my team mate, dnvira
, we got a script which would actually wget the entire files and subdirectories.
Comparing the hashes of the cloned repo and the one we got from the challenge server gave us a few files being differentiate from others. I was going through a few of them and apparently a few images in gameAnimationImages
had flag written at the bottom end.
flag{_Rends_l'_......
There were two places wherein I was stuck. One was using tftp
which would have been a way to proceed further and the next one, fetching all the files. Apparently the former one was where I was stuck for long time.
Reach me out on Twitter.
Enjoy Reading This Article?
Here are some more articles you might like to read next: