Discover gists

A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

Link to the challenge: https://capturetheflag.withgoogle.com/challenges/web-security-driven
Link to the PoC: https://github.com/google/google-ctf/tree/master/2021/quals/web-security-driven/solution

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.

Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

	const TELEGRAM_BOT_TOKEN = '110201543:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw'; // https://core.telegram.org/bots#creating-a-new-bot


	export const verifyTelegramWebAppData = async (telegramInitData: string): boolean => {
	// The data is a query string, which is composed of a series of field-value pairs.
	const encoded = decodeURIComponent(telegramInitData);


	// HMAC-SHA-256 signature of the bot's token with the constant string WebAppData used as a key.
	const secret = crypto

	#!/bin/bash
	# reset jetbrains ide evals v1.0.4

	OS_NAME=$(uname -s)
	JB_PRODUCTS="IntelliJIdea CLion PhpStorm GoLand PyCharm WebStorm Rider DataGrip RubyMine AppCode"

	if [ "$OS_NAME" == "Darwin" ]; then
	echo 'macOS:'

	for PRD in $JB_PRODUCTS; do

	### Test on https://github.com/yousseb/meld/releases/tag/osx-20
	### OSX - 3.21.0 (r4) Sonoma
	### !!! Note: You need put the Meld.app r4 build to the /Applications path first.

	#!/bin/zsh

	#Fix libpng16.16.dylib not found
	install_name_tool -change /usr/local/opt/libpng/lib/libpng16.16.dylib @executable_path/../Frameworks/libpng16.16.dylib /Applications/Meld.app/Contents/Frameworks/libfreetype.6.20.0.dylib

	#Fix libbrotlidec.1.dylib not found

	// To compile this program, you need to install:
	// sudo apt-get install libbluetooth-dev
	// Then you can compile it with:
	// cc scanner.c -lbluetooth -o scanner
	// You can then run it with:
	// ./scanner

	// Copyright (c) 2021 David G. Young
	// Copyright (c) 2015 Damian Kołakowski. All rights reserved.
	// License: BSD 3. See: https://github.com/davidgyoung/ble-scanner

	# This (Istio) Envoy filter will automatically add the
	# recommended HTTP Security headers - https://securityheaders.com/
	#
	# Just: kubectl apply -f istio-security-by-default-header-filter.yaml
	#
	apiVersion: networking.istio.io/v1alpha3
	kind: EnvoyFilter
	metadata:
	name: security-by-default-header-filter
	namespace: istio-system

	<^>!'::Send `` ; AltGr + ' => `
	<^>!vkDD::Send ~ ; AltGr + ì => ~

	# These aliases have been collected and shown in the making of this video, explaining how to set up and use git alises
	# Source: https://youtu.be/Uk4GnYoQx_I

	[alias]
	# Shortcuts
	ch = checkout
	br = branch
	st = status
	br = branch
	cm = commit -m

	/* ==UserStyle==
	@name TwitterRevertColoring
	@description Twitter の UI の配色を元に戻すユーザースタイル
	@namespace https://gist.github.com/tsukumijima
	@updateURL https://gist.github.com/tsukumijima/931905c4ed3f181ce926730463a29d80/raw/TwitterRevertColoring.user.css
	@author tsukumi
	@version 1.3.9
	@license MIT
	==/UserStyle== */