← Back to Writeups

web/my-chemical-romance | LACTF 2023

Ruien Luo, Sun Feb 12 2023 • Tags: web, LACTF 2023

This challenge was part of LACTF 2023, where asmhole placed 33rd out of nearly 1,400 teams.

Challenge description

Author: bliutech
When I was... a young boy... I made a "My Chemical Romance" fanpage!
my-chemical-romance.lac.tf

Solution

I want to preface this with the fact that I've never heard of this band. Don't get mad at me, that's just the truth. Anyway, now that you've (hopefully) gotten past that horrifying fact, back to the challenge.

Opening up the site, it appeared to be nothing special. However, my ultra-mega-super-plus-hacker senses were tinglihg. I loaded up Burp Suite, proxied the site through it, hit reload, and... voila. There it was. There was an extra header, Source-Control-Management-Type: Mercurial-SCM in the response.

scmt-header

An extra sus header

Looking into Mercurial, I found that it's a SCM that has lost a lot of popularity. However, clients are still available, so I downloaded TortoiseHg and 'cloned' the website repo.

clonedialog

Let the clone wars begin!

After cloning the site (ignoring SSL certificate checks), the flag was right there in the clear in the commit history.

flagMCR

Not such a hidden flag after all

My Chemical Romance? More like My Cloned Repository!

Flag: lactf{d0nT_6r1nk_m3rCur1al_fr0m_8_f1aSk}

Questions/comments?

Send me an email at [email protected].