### Angular of the Universe (flag 1) [139 points] (39 solves) ### Angular of another Universe [239 points] (8 solves) #### [TokyoWesterns CTF 6th 2020](https://ctftime.org/event/1086) - solved together with [kannthu](https://www.youtube.com/channel/UCT2_r44LibWOJcDQJgmYyxw). Files: - [universal-angular-d941f06fcf3bb970ef0d7bef01abbaf451cb24608e4353903fb54feb0cdc7d8d.zip](/ctf/universal-angular-d941f06fcf3bb970ef0d7bef01abbaf451cb24608e4353903fb54feb0cdc7d8d.zip) - [another-universal-angular-patched-16d2a8d2dc1c0014b29c0aaa5e1e30a4cf9492e6627b8e46c4d053fe2d301953.zip](/ctf/another-universal-angular-patched-16d2a8d2dc1c0014b29c0aaa5e1e30a4cf9492e6627b8e46c4d053fe2d301953.zip) *Note: this solution doesn't solve 2nd flag of Angular of the Universe. Both Angular of the Universe (flag 1) and Angular of the Another Universe were solved in same way with same payload, so it doesn't matter which source you follow :)* ### Part 0: research We got an SSR Angular10 typescript application, which is served by an express server hidden behind an nginx. To get the flag we want to go to `/debug/answer`. ### Part 1: bypassing nginx First, nginx has ```nginx location /debug { # IP address restriction. # TODO: add allowed IP addresses here allow 127.0.0.1; deny all; } ``` in it's config. To bypass this we can use a simple `%64ebug/answer`. This allows us to bypass nginx and talk straight to express app (as URL no longer matches the rule). ### Part 2: bamboozling angular Express server contains: ```ts if (process.env.FLAG && req.path.includes('debug')) { return res.status(500).send('debug page is disabled in production env') } ``` We couldn't find a way to bypass this, so we decided to use a bit of brute force. ```python import requests for i in range(10000): r = requests.get(f"http://localhost:8081/a/%252e%252e/{chr(i)}ebug/answer") if r.status_code == 500: continue if "page-not-found" not in r.text: print(f"something - {i} - {chr(i)}") ``` It turns out that sending URL with `(` in it makes server return 504. Weird. We decided to close the parentheses in URL. This time the error says something about `outlets`. *Note: for some reason I couldn't get server to respond with an error about outlets after the CTF (which may be due to infrastructure going down or smth).* We found out that angular's `outlets` to be `router-view` from VueJS / ReactJS and save their components in URL. Interesting. By digging into the [Angular's documentation](https://angular.io/api/router/RouterOutlet#description) it turns out, that default outlet is called `primary`. Going to URL `(primary:%64ebug/answer)` renders the `debug/answer` component server sided yielding us the flag. Angular of the Universe (flag1): `TWCTF{ky0-wa-dare-n0-donna-yume-ni?kurukuru-mewkledreamy!}` Angular of the Another Universe: `TWCTF{theremightbeanotheranotheranotherissuesinuniverse}`