Stacked Logs

Analyzed server logs to identify an unhandled exception leaking sensitive information and the flag in a local variables dump.

Log AnalysisWebForensicsMetaCTFMedium

Overview

We are provided with a server log containing routine traffic. The goal is to analyze the log entries and identify any anomalies that may reveal the flag.

Analysis

The log file consists of standard HTTP request entries. A quick search for the keyword flag within the logs yields a critical finding.

Relevant Log Entries

[2024-04-25 13:09:46,000] INFO  in app: GET /api/user/profile 200 12ms user_id=204 - werkzeug
[2024-04-25 13:09:50,000] INFO  in app: GET /api/announcements 200 15ms user_id=678 - werkzeug
[2024-04-25 13:10:00,000] INFO  in app: POST /api/hints/42/unlock 402 8ms user_id=501 - werkzeug
[2024-04-25 13:10:04,000] INFO  in app: GET /api/hints/42 200 19ms user_id=815 - werkzeug
[2024-04-25 13:10:13,000] INFO  in app: POST /api/submit 400 30ms user_id=204 - werkzeug
[2024-04-25 13:10:25,000] INFO  in app: GET /api/notifications 200 5ms user_id=815 - werkzeug
[2024-04-25 13:10:27,000] INFO  in app: POST /api/team/invite 200 19ms user_id=815 - werkzeug
[2024-04-25 13:10:31,000] INFO  in app: POST /api/auth/refresh 200 9ms user_id=501 - werkzeug
[2024-04-25 13:10:35,000] INFO  in app: GET /static/js/app.bundle.js 200 202ms user_id=501 - werkzeug
[2024-04-25 13:10:36,000] INFO  in app: GET /api/challenges/40 200 9ms user_id=720 - werkzeug

Exception Traceback

Key insight: An unhandled exception on the /api/validate endpoint leaks sensitive information, including the flag, in the local variables dump.
[2024-04-25 13:10:40,000] INFO  in app: POST /api/validate 500 23ms user_id=338 - werkzeug
[2024-04-25 13:10:49,000] ERROR in app: Exception on /api/validate [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1488, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1466, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.url_values)
  File "/srv/app/api/validate.py", line 47, in validate_submission
    result = validator.check(user_input, flag)
  File "/srv/app/core/validator.py", line 23, in check
    if submission.strip().lower() == expected.strip().lower():
AttributeError: 'NoneType' object has no attribute 'strip'

Local variables (validate_submission):
  request      = <Request 'http://ctf.internal/api/validate' [POST]>
  challenge_id = 42
  user_id      = 338
  flag         = 'MetaCTF{unhandl3d_3xc3pt10ns_l34k_s3cr3ts}'
  user_input   = None
  db_cursor    = <psycopg2.extensions.cursor object at 0x7f3a1c2d4b80>

[2024-04-25 13:10:50,000] INFO  in app: Sending 500 response to user_id=338

Flag

Retrieved from exception dump
MetaCTF{unhandl3d_3xc3pt10ns_l34k_s3cr3ts}
TRANSLATOR
RISC-V Business