CTFtime.org

my first app

by LucidBrot / organizers

Tags: nextjs web 

Rating:

*This is a walkthrough: straight from my mind step-by-step to the discord channel. Straight from discord to here:*

-----

Should be easy (50 points, 146 Solves), is a web app written in next.js.

-----

It's not like I understand much yet, but there is a `pages/api/hello.js` which references a `globalVars.SECRET`:

```javascript
import globalVars from '../../utils/globalVars'

export default function handler(req, res) {
// res.status(200).json({ name: globalVars.FLAG })
res.status(200).json({ name: globalVars.SECRET })
}
```

----

http://my-first-web.balsnctf.com:3000/api/hello leads to a youtube video. Probably a rickroll

```json
{
"name": "here is my secret: https://www.youtube.com/watch?v=jIQ6UV2onyI"
}
```

-----

Nope. It's 10 hours of Nyan Cat instead. 1080p.
has 3'327'333 views so it is not a video with a flag hidden inside.

So it looks like we want globalVars.FLAG, not globalVars.SECRET

-----

in `index.js` there is something accessing another globalVar:
```html
<h1 className={styles.title}>
Welcome to {globalVars.TITLE}
</h1>
```
so I figure we can access `globalVars.FLAG` in a similar way if we find a way to inject something somewhere.
I don't see where though.

-----

`next.js` version seems up to date.

The `_app.js` looks pretty much like the default thing to do, as per [https://nextjs.org/docs/advanced-features/custom-app]( https://nextjs.org/docs/advanced-features/custom-app).

-----

*A Team Member chimes in:*

> Reminds me of
> ![a challenge from a different ctf that used next.js too. It simply sent the secret along.](https://i.imgur.com/8bnvEIc.png)

lol wtf

but idk whether the flag is even in the pageProps. it is an imported global var

*I started looking at the client-side source now, instead of the server-side files.*

-----

**flagged ✔**

I had a look at the Network tab and opened all the javascript files it loaded dynamically to look what they do. Some were minified, so I just searched for a part of the secret youtube link and did find it in http://my-first-web.balsnctf.com:3000/_next/static/chunks/pages/index-1491e2aa877a3c04.js - right next to all the other global variables

```javascript
{default:function(){return l}});var d=c(5893),e=c(9008),f=c.n(e),g=c(5675),h=c.n(g),i=c(214),j=c.n(i),k={TITLE:"My First App!",SECRET:"here is my secret: https://www.youtube.com/watch?v=jIQ6UV2onyI",FLAG:"BALSN{hybrid_frontend_and_api}"};function l()
```

Comments