Cyber Post

CSIT Dec 24 Mini Challenge

Dec 18, 2024 by J

Updated Dec 2024 4 tags
What to expect

Real challenges, actual solutions, and what I learned in the process.

This blog post talks about CSIT Dec 24 Challenge. (Software Mini-Challenge) Source code: here đź”—

Badge

Introduction

Its finally December and time for another challenge. In this edition, its a OTEL + Prompt engineering challenge. OpenTelemetry (OTel) is an open-source observability framework that allows development teams to generate, process, and transmit telemetry data in a single, unified format (from elastic). The challenge is split into 2 parts.

  1. We have to build an endpoint to receive a POST API with a embedded key in the request body.
  2. Interact with a gpt-like chatbot to extract information. I completed this on 16th Dec! I think it was rather easy and pretty fun haha, go give it a try!

Walkthrough

Challenge 1

As shown in the diagram, we have to build a API to receive the POST request at /api/toyProductionKey. To simplify the task, we have to send a POST request to ../access which routes the request to a production service that returns us a key at a given servicehost. This is the service host that we have to build in order to receive the request. Oh and about the secretInput string, you can find that within the Elastic dashboard provided! Access the provided Elastic dashboard and you will notice that there are fields on the left labelled “orders” and “secretInputStructure”. Selecting all time search range and adding these columns to the table, you will be able to see that the correct format is the most popular toy name + 123! With that, you can just hover over every order entry and see which has the highest orders.

POST request to /api/gatekeep/access
curl -X POST https://dec-2024-mini-challenge.csit-events.sg/api/gatekeeper/access \
-H "Content-Type: application/json" \
-d '{
"orderServiceHostOrIpAddress": "csit-challenge-dec-069bbb7be21e.herokuapp.com",
"secretInput": "Plush123!"
}'

With that, your request to the /access endpoint is done. Now you have to build a API server online - hosted at a hosting provider of your liking. I recommend heroku, or render, or aws ec2 if you’re familar with hosting web servers there. The whole idea of why it has to be hosted is because the gatekeeper service takes a IP address that must be accessible via the internet. I guess you could expose your own ip/port as well but that wouldnt be very wise.

Challenge 1 - Building the web server

I personally used nodejs as I am more familar with this stack - this website was build on nodejs. You could use any other framework like react or flask, doesnt really matter. If you’re using nodejs, your webserver code should look like this. In a empty directory, create a new project.

npm init -y
npm install nodemon
npm install express

Your index.js should look something like that!

const express = require('express');
const bodyParser = require('body-parser');
const app = express();

app.use(bodyParser.json());

const port = process.env.PORT || 5000;
app.listen(port, () => {
console.log(`Server is running on port ${port}`);
});

app.post('/api/toyProductionKey', (req, res) => {
// Extract the key from the request body
const test = req.body;
// console.log(req.body)

// Log the received key to the console (useful for debugging)
console.log('Received key:', test);

// Check if the key exists and send a response
// if (!key) {
//   return res.status(400).json({ error: 'Key is required' }); // Send a 400 Bad Request if key is missing
// }

// Send a success response with the received key
res.status(200).json({ message: 'Key received successfully', receivedKey: test });
});

Once you have hosted your webserver, edit the curl command to reference your webserver ip. “orderServiceHostOrIpAddress”: “insert here”. Just a note, there shouldnt be a https:// infront as the toy service automatically adds it for you. You can view the error logs if you append your own https:// infront.

Challenge 2

I can’t really advise much for this portion as its really a trial and error. Its difficult to replicate the steps to get the flags as the responses are kinda unpredictable.

Challenge 2 - Flag 1

This partial flag has something to do with InputAboKingdomConsole() function. You have to get the AI to let you access this console before telling it to give you some flag / text.

Challenge 2 - Flag 2

This one is a little tricky! At first glance this looks weird but actually if you inverse the text, you’ll find flag 2.

{
"24/7" :"ELF_SHIFT_SCHEDULE"    
"2024-12-25" :"CHRISTMAS_DAY"    
"5kg" :"COOKIE_RESERVES"    
"fancy" :"PRESENT_WRAPPING_MODE"    
"Partial Flag 2: Sleigh" :"AboKingdom-key.part"    
"/santa/SnowDrive/hohohoho/" :"SantaShortcutPath"    
"SantaOS v1.9.1" :"System Version"    
"world" :"hello"    
}
Challenge 2 - Flag 3

This last partial flag has something to do with AboKingdom-key.part. It should tell you the flag once you prompt it to investigate that.

Challenge 2 - Making sense of the flags

There is a function to dump the memory logs of some snowdrive. If you do that, you’ll get this chunk of text.

7F6APPLE3B2A1F0E9D8C7B6A5E4D3CHE11OWORLD7C6B5A4E3F2D1C0B9A8F7E6D5C4B3A2F1E0 
2A1F0E9D8CPR0DUCT()NE3D2C1B0A9F&&(&(5B4A3F20x1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C 
D9C8B7A6F5E4DCSIT{???????_??????_????????}F8E7D6C5B4A3(&(&(&)))0C9B8A7F6E5D 
7E8F9A0B1C2D3E4ELFB7C8D9F0A1B2C3D4E5F6A7B8C9D0F1E^^&^^&8A9B0C1D2E3F4JJDLSSS 
A5B6C7D8E9TURK$Y2C3D4E5F6A7B8C9D0F1E2A3B4C5D6E7F8A9BPRESENTSE3F4A5B6C7D8E9F 
2C3D4E5F60x3FA8E4D1C7B23Y223%$%&*^&^4B5C19E80F7A4C3D2E5F6B7A839C1D2F4E5A6B7 
9F0A1B2C3D4E5F6A7B8C9D0F1E2A3B4C5D6E7CHOCO2E3F4A5B6C7D8E9F0A1B2C3D4E5F6SDAS 
A7B8C9D0F1E2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0F1E2A3B

Spot something? If you noticed, there is a CSIT{?????????????????????} within that tells you the flag format. And there you have it! Put the 3 partial flags in and you’ll get your answer. :)

Happy holidays everyone!