Никто, конечно, не чиллил — alfactf

Description

Никто, конечно, не чиллил

Сервис: noonechilled

The target was a corporate intranet service at https://noonechilled-gvgof6lm.alfactf.ru. Source code was provided, and the goal was to recover a boss vacation code and use it as an employee to reach the flag.

Short Summary

This challenge was a four-bug chain:

1. a custom dispatcher matched only a route prefix and ignored trailing path segments,
2. nginx cached any URL that looked like a static file without varying on authentication,
3. the boss bot fetched attacker-supplied image URLs with its authenticated session,
4. a valid boss vacation code could be submitted by any employee to deactivate their account and receive the flag.

Together, these issues turned a boss-only API response into a public cached .png URL.

Reconnaissance

The Docker topology in docker-compose.yml immediately exposed the interesting trust boundaries:

• the public frontend sits behind nginx,
• backend API requests are served from http://nginx / http://backend,
• the boss bot also talks to API_BASE_URL=http://nginx,
• the bot credentials are [email protected] / WhiteboxBossPassword123! in the local compose file.

That suggested two useful directions: look for proxy/cache behavior in nginx, and inspect whether the bot can be induced to fetch attacker-controlled URLs from inside the Docker network.

Root Cause Analysis

1. Custom dispatcher suffix bypass

The main routing bug is in backend/app/api/http_dispatch.py:

def match(self, method: str, segments: list[str]) -> dict[str, str] | None:
    if method != self.method or len(segments) < len(self.pattern):
        return None

    params: dict[str, str] = {}
    for part, segment in zip(self.pattern, segments):
        if isinstance(part, PathParam):
            params[part.name] = segment
            continue
        if part != segment:
            return None
    return params

...