Rails is secure by default so it’s perfect for my amazing notes app https://r0bynotes.chal.perfect.blue - source Note: If you find the flag, please remove the flag{..} wrapper and wrap it with pbctf{…} instead We’re presented with a ruby-on-rails application, which always comes with a lot of files, directory and other kinds of cruft, so let’s get down to the files that normally really matter: the controllers. (On the way to opening that folder, also note that there’s a read_flag binary, so we’ll need to get RCE.

I wanted to make my own URL scraper, but parsing HTML is hard, so I used some random open source scraping project instead. http://sploosh.chal.perfect.blue/ - links to the source When first opening the webpage, we’re also given the source. Looking at that, we find that the urls are submitted to a splash service, and we’re then just shown the (seemingly useless and constant) geometry information. Our target is to access flag.

We start off with a single apk given. Running this through jadx-gui, we quickly find a list of API endpoints (some without the actual URL) in APIInterface and a base URL of http://66.172.33.148:5000/ (found in Utils): PostUserProf: no url yet getConf: api/get_config/{rolid} getDex: api/get_dex/{dex} getReg: api/userClass/register/{name} getShopItem: no url yet getShopOrder: no url yet getShopOrderD: no url yet getUserProf: no url yet Following through the logic for SplashScreen, we register a user for ourselves, and receive an encryption key, a role id and a uuid which serves as our authentication token.

(Note: I wasn’t able to solve this challenge during the CTF, but I solved it afterwards) The challenge description gives us a webserver address and a text, that we should use only the php inbuilt functions to get the /flag and show the webmaster that the php builtin functions are insecure as well. Upon loading the website address, we are immediately greeted with an image as well as - presumably - the code for the index.