To ensure a good Christmas we implemented some diagnostic tools. This one checks that the time to a destination is within an acceptable range. The flag is in /flag.txt.
Visit <https://12.adventofctf.com> to start the challenge.
## Finding the vulnerability
Upon opening the challenge website we're greeted with an input field and a check button. Let's enter some text in the input and press the check button. Initially, nothing happens but after a few seconds we get a result: `1607956922.306628 Destination check was OK`. As the page didn't reload there is probably some javascript in play. Indeed there is, when opening the source, we find a script tag with the following javascript function:
If we analyze this function a bit we find that it executes a `POST` request to `/` and puts the result in an HTML element with this selector: `'#result'`.
Let's try some more inputs. Just plain text doesn't seem to change the result much besides the number before "Destination check". If we, however, enter a quote (`"`), we get a different result back:
```text
Something happened: /bin/bash: -c: line 0: unexpected EOF while looking for matching `"'
/bin/bash: -c: line 1: syntax error: unexpected end of file
This means that, while it does work, it does not work directly as the output isn't valid. If we, however, put a sub-command inside a sub-command (`> $($(ls))`), the inner output will be printed:
```text
Something happened: /bin/bash: app.py: command not found
/bin/bash: $($(ls)): ambiguous redirect
```
As we can see, there seems to be an `app.py` file but we don't care about it now. Let's try to cat the flag from the location specified in the challenge description (`/flag.txt`) by entering the following input: `>$($(cat /flag.txt))`. This return the following result:
```text
Something happened: /bin/bash: Congratulations,: command not found
As we can see, it did read the file. Sadly, however, it only returned the first line...
At this point, I didn't really know what to do but just as I was about to take another break, [@credmp](https://twitter.com/credmp) posted a hint on Twitter. It said the following: "Hint: all error messages are printed on stderr.".
### Redirecting the output
After reading this tweet, I tried the following input: `>$(cat /flag.txt>/dev/stderr)` and it immediately worked! I felt pretty stupid for not having thought about that 😐.
## Solution
So redirecting the output to `stderr` worked and we got the flag: `NOVI{we_are_halfway_to_christmas!}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#12-13).