Protocol Analysis 3: Missing — metactf

Description

Alice recv: "Hello", B, "this is", A, "give me the flag" Bob send: "here it is", [FLAG]

English summary: the challenge provides the expected plaintext protocol transcript in the manual and a live service at https://protocols.live. The bug is that model 3 does not enforce a real Alice counterpart, so we can send Bob the exact expected request ourselves and read the flag.

Analysis

The PDF already reveals the full message Bob is supposed to receive:

t:Hello|n:bob|t:this is|n:alice|t:give me the flag

On the live service, creating an instance with POST /model/3 returns a conn_id. Trying to interact with Alice fails with:

{"detail":"No alice here, sorry!"}

So this model has no usable Alice endpoint. Sending empty content to Bob also fails with:

{"detail":"Invalid message"}

That shows Bob is validating message structure, but not who actually sent it. If we submit the exact plaintext request from the manual directly to /bob, Bob accepts it and returns the flag. The vulnerability is effectively missing sender validation and missing counterpart enforcement.

Solution

1. Create a fresh challenge instance with POST /model/3 and save the returned conn_id.
2. Ignore /alice, because this model responds with No alice here, sorry!.
3. Send Bob the exact plaintext message required by the manual:

t:Hello|n:bob|t:this is|n:alice|t:give me the flag

4. Read Bob's response, which contains the flag:

t:here it is|t:DawgCTF{N0_0N3_3LS3_H0M3}

#!/usr/bin/env python3

import requests

BASE = "https://protocols.live"
PAYLOAD = "t:Hello|n:bob|t:this is|n:alice|t:give me the flag"


def main():
    session = requests.Session()

    create = session.post(f"{BASE}/model/3")
    create.raise_for_status()
    conn_id = create.json()["conn_id"]

    bob = session.post(
        f"{BASE}/bob",
        json={"conn_id": conn_id, "content": PAYLOAD},
    )
    bob.raise_for_status()
    print(bob.json()["content"])


if __name__ == "__main__":
    main()