N0PSctf - Jojochat 1/2

Misc

The kidnappers of Jojo have been developping their own chat platform. We need you to get an admin access on it, in order to stop their evil activities.

Use Jojo Chat 1/2 Instance for this challenge.

Author: algorab

in the code

create_account() is particulary interesting, especially the line log = open("./log/{name}", w). This means we write a file into the system from the username prompt and get a path traversal. In order to get the flag, we have to become admin. Below in the code we can see

So, let’s become an admin ?

sc nopsctf-2a5f608d0f4c-jojo_chat_v1-1.chals.io

then login and see messages, admin has already posted !

Let’s create a brand-new account named “/admin” which is the same as “admin” following the code. In bash, ./log/admin and ./log//admin is the same, so we can override the admin user and access to the admin() function

Here’s the flag : N0PS{pY7h0n_p4Th_7r4v3r54l}