HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #80
From team OpenTU
New advisory by : anonymous coward
Affected service(s): goffer
Severity [lmh] : medium
===== Problem =====
When entering the command "dir", a new file "listing" with the contents of the directory (containing the flags) is created. This file can be retrieved by simply requesting the file "listing".
===== Impact =====
A list of all flag keys (albeit reversed) is returned; the flags can then be retrieved by entering the flag keys.
===== Fix =====
As a quick fix:
execute "rm listing && touch listing" as root
As a not-so-quick fix:
remove the lines 22 and 23 in goferdee.lol (and delete the file "listing" if it exists)
Rating
[2] nice one :)