miscfreeeasy

Protocol Analysis 3: Missing

metactf

Task: a protocol manual describes the exact Alice-to-Bob plaintext needed to request the flag, but the live service lacks a real Alice side for model 3. Solution: send Bob the expected message directly, exploiting missing sender and counterpart enforcement to receive the flag.

$ ls tags/ techniques/
protocol_analysisplaintext_protocolalice_and_bobmissing_sender_validationcounterpart_bypass
direct_bob_triggerplaintext_protocol_abusemissing_counterpart_enforcement

Protocol Analysis 3: Missing — metactf

Description

Alice recv: "Hello", B, "this is", A, "give me the flag" Bob send: "here it is", [FLAG]

English summary: the challenge provides the expected plaintext protocol transcript in the manual and a live service at https://protocols.live. The bug is that model 3 does not enforce a real Alice counterpart, so we can send Bob the exact expected request ourselves and read the flag.

Analysis

The PDF already reveals the full message Bob is supposed to receive:

t:Hello|n:bob|t:this is|n:alice|t:give me the flag

On the live service, creating an instance with POST /model/3 returns a conn_id. Trying to interact with Alice fails with:

{"detail":"No alice here, sorry!"}

So this model has no usable Alice endpoint. Sending empty content to Bob also fails with:

{"detail":"Invalid message"}

That shows Bob is validating message structure, but not who actually sent it. If we submit the exact plaintext request from the manual directly to /bob, Bob accepts it and returns the flag. The vulnerability is effectively missing sender validation and missing counterpart enforcement.

Solution

...

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]