Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Go is built to run concurrent code. In this CTF challenge, a subtle issue is abused around concurrency.

The challenge has key-value store HTTP service. The service also has an arbitrary file read vulnerability by specifying the name. However, the flag file cannot be simply read because there is a flag string check.

This protection can be bypassed using /proc file system. However, this requires the intended solution to have a file descriptor open for the flag. This works but wasn't the intended solution. Still, a super clever abuse and solve!

The intended solution is a subtle issue with Go. The /get and /set HTTP handlers allow for concurrent access. The err variable for the arbitrary file read flag check is global! This means that other threads, such as set can use this variable as well.

So, here's how to exploit it:

1. Use the arbitrary file read to read the flag on the /get API. This will return an error because of the string check.
2. Use /set to change the error variable to be false.
3. The check on /get call on error will now fail because it was set in the other thread.
4. Flag is read!

Concurrency is Golang is a core component of the design. As a result, insecure concurrent uses should be checked for. I loved both the intended and unintended solutions for this!