Bricktator v2 — UMass Cybersecurity CTF

Description

NUCLEAR CONTROL CENTER — TARGETTED ESPIONAGE

We have gathered intelligence that their overide system requires four individuals with the highest security clearance to shut down. You must infiltrate their control systems and compromise four accounts.

Luckily, the Bricktator is not very tech literate, and we have managed to compromise his credentials from a spear-phishing attack.

bricktator/goldeagle.

English summary: this was a Spring Boot web challenge where one valid low-privilege login exposed enough session metadata to recover every seeded session id in the system. A timing side channel then separated high-clearance sessions from normal ones, which made the multi-party override solvable.

Challenge Summary

The challenge starts with working credentials for bricktator/goldeagle. After login, the application exposes Spring actuator endpoints, and one of them leaks session ids by username. Those session ids are not random: they are deterministic shares from a quadratic polynomial modulo a prime. Once that polynomial is reconstructed, all valid session ids can be generated offline.

The final step is not simple session forgery by itself. The override workflow needs multiple YANKEE_WHITE participants, so the remaining problem is to classify which enumerated sessions belong to that role. That distinction leaks through a timing oracle in /command, allowing recovery of four extra privileged sessions and completion of the shutdown flow.

Recon Findings

After reading the dossier and logging in as bricktator, the most important observations were:

...