Analyzed server logs to identify an unhandled exception leaking sensitive information and the flag in a local variables dump.
We are provided with a server log containing routine traffic. The goal is to analyze the log entries and identify any anomalies that may reveal the flag.
The log file consists of standard HTTP request entries. A quick search for the keyword flag within the logs yields a critical finding.
[2024-04-25 13:09:46,000] INFO in app: GET /api/user/profile 200 12ms user_id=204 - werkzeug
[2024-04-25 13:09:50,000] INFO in app: GET /api/announcements 200 15ms user_id=678 - werkzeug
[2024-04-25 13:10:00,000] INFO in app: POST /api/hints/42/unlock 402 8ms user_id=501 - werkzeug
[2024-04-25 13:10:04,000] INFO in app: GET /api/hints/42 200 19ms user_id=815 - werkzeug
[2024-04-25 13:10:13,000] INFO in app: POST /api/submit 400 30ms user_id=204 - werkzeug
[2024-04-25 13:10:25,000] INFO in app: GET /api/notifications 200 5ms user_id=815 - werkzeug
[2024-04-25 13:10:27,000] INFO in app: POST /api/team/invite 200 19ms user_id=815 - werkzeug
[2024-04-25 13:10:31,000] INFO in app: POST /api/auth/refresh 200 9ms user_id=501 - werkzeug
[2024-04-25 13:10:35,000] INFO in app: GET /static/js/app.bundle.js 200 202ms user_id=501 - werkzeug
[2024-04-25 13:10:36,000] INFO in app: GET /api/challenges/40 200 9ms user_id=720 - werkzeug
/api/validate endpoint leaks sensitive information, including the flag, in the local variables dump.
[2024-04-25 13:10:40,000] INFO in app: POST /api/validate 500 23ms user_id=338 - werkzeug
[2024-04-25 13:10:49,000] ERROR in app: Exception on /api/validate [POST]
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1488, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1466, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.url_values)
File "/srv/app/api/validate.py", line 47, in validate_submission
result = validator.check(user_input, flag)
File "/srv/app/core/validator.py", line 23, in check
if submission.strip().lower() == expected.strip().lower():
AttributeError: 'NoneType' object has no attribute 'strip'
Local variables (validate_submission):
request = <Request 'http://ctf.internal/api/validate' [POST]>
challenge_id = 42
user_id = 338
flag = 'MetaCTF{unhandl3d_3xc3pt10ns_l34k_s3cr3ts}'
user_input = None
db_cursor = <psycopg2.extensions.cursor object at 0x7f3a1c2d4b80>
[2024-04-25 13:10:50,000] INFO in app: Sending 500 response to user_id=338