# b01lers CTF 2020 – Space Noodles

* **Category:** web  
* **Points:** 200

## Challenge

> What do you get when you cross spaghetti with zero g's?  
>  
> http://web.ctf.b01lers.com:1003/

## Solution

This was a guessing challenge and I didn't like it very much.

Trying to connect to the homepage will give you an error of HTTP method not
allowed.

```  
GET / HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 121  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 10:24:44 GMT

<title>Not Allowed</title>  
<h1>Not Allowed</h1>  

Cant GET /

  
```

If you try a wrong HTTP verb, the server will return all the allowed methods.

```  
POTATOE / HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.0 405 METHOD NOT ALLOWED  
Content-Type: text/html; charset=utf-8  
Allow: GET, HEAD, PUT, PATCH, CONNECT, OPTIONS, TRACE, DELETE, POST  
Content-Length: 178  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 10:26:17 GMT

<title>405 Method Not Allowed</title>  
<h1>Method Not Allowed</h1>  

The method is not allowed for the requested URL.

  
```

Trying each method, you can discover that some of them, i.e. `POST` and `PUT`,
will return a different result.

```  
POST / HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 570  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 10:31:13 GMT

<html>  
</body>  
<body>  
<text>

</text>text ? pleas test teh follwing five roots

,

  
<list>  
<one>

circle</one>  
<enter>  
<enter>  
<sendkey(enter)>

two  
I'm am making an a pea eye and its grate

PHP is the best  
<php?> printf(hello world) </php>  
squaretwo

:pleasequithelpwww.google.  
com/seaerch

how to exit  
vim/quit  
:wqwhy isnt it working:wq:wq:wq:qw?

</body>  
</html>  
```

At this point you have to guess that the following endpoints are present:  
* `/circle/one/`;  
* `/two/`;  
* `/square/`;  
* `/com/seaerch/`;  
* `/vim/quit/`.

For each endpoint, you have to try all HTTP verbs in order to discover the
correct one to use.

The `/circle/one/` endpoint will return a [PDF
file](https://github.com/m3ssap0/CTF-
Writeups/raw/master/b01lers%20CTF%202020/Space%20Noodles/http_web.ctf.b01lers.com_1003_circle_one.pdf).

```  
OPTIONS /circle/one/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 0

HTTP/1.0 200 OK  
Content-Length: 3322704  
Content-Type: application/pdf  
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT  
Cache-Control: public, max-age=43200  
Expires: Sun, 15 Mar 2020 02:03:47 GMT  
ETag: "1583871208.0-3322704-1012733123"  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 14:03:47 GMT

%PDF-1.3  
```

The PDF says: `Put Your Best Food Forward With HEINZ KETCHUP`. At this point I
had no idea of what to do next.

Two different answers can be obtained on `/two/` endpoint with `PUT` and
`CONNECT` HTTP verbs.

```  
PUT /two/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 0

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 15  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 10:55:40 GMT

Put the dots???  
```

The `CONNECT /two/` request will return a PNG image.

```  
CONNECT /two/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 0

HTTP/1.0 200 OK  
Content-Length: 67798  
Content-Type: image/png  
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT  
Cache-Control: public, max-age=43200  
Expires: Sat, 14 Mar 2020 22:56:58 GMT  
ETag: "1583871208.0-67798-3337817112"  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 10:56:58 GMT

PNG  
```

![two.png](https://github.com/m3ssap0/CTF-
Writeups/raw/master/b01lers%20CTF%202020/Space%20Noodles/two.png)

The image contains the string `up_on_noodles_`, that is a part of the flag.

The `/square/` endpoint will return a PNG image with a crossword puzzle.

```  
DELETE /square/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 0

HTTP/1.0 200 OK  
Content-Length: 211123  
Content-Type: image/png  
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT  
Cache-Control: public, max-age=43200  
Expires: Sat, 14 Mar 2020 23:12:50 GMT  
ETag: "1583871208.0-211123-3343453223"  
Server: Werkzeug/1.0.0 Python/3.7.6  
Date: Sat, 14 Mar 2020 11:12:50 GMT

PNG  
```

![square.png](https://github.com/m3ssap0/CTF-
Writeups/raw/master/b01lers%20CTF%202020/Space%20Noodles/square.png)

The solution is the following.

```  
E  
S  
I  
R  
P  
E R  
C E  
A T  
E P N  
TASTES  
L A U  
D U L  
E A  
R C  
A O  
A  
N  
```

The `/com/seaerch/` endpoint will return the following webpage.

```  
GET /com/seaerch/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 0

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 94  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 15:02:41 GMT

<htlm>

,,,,,,,,,<search> <\-- comment for search --!>:

ERROR search=null</end>

</html>  
```

At this point, you have to guess that an `application/x-www-form-urlencoded`
parameter must be used to perform the search operation

```  
GET /com/seaerch/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 10  
Content-Type: application/x-www-form-urlencoded

search=foo

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 142  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 20:02:46 GMT

<htlm>

,,,,,,,,,<search> <\-- comment for search --!>:

<query> foo is not a good search, please use this one instead: 'flag' <try>

</html>  
```

Using the `flag` value will give you another part of the flag.

```  
GET /com/seaerch/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
Comment: foo  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Length: 11  
Content-Type: application/x-www-form-urlencoded

search=flag

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 126  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 20:03:13 GMT

<htlm>

,,,,,,,,,<search> <\-- comment for search --!>:

<query> good search</query>  
results:

_good_in_s

:w

</html>  
```

The `/vim/quit/` endpoint will tell you to use a query parameter.

```  
TRACE /vim/quit/ HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: session=0  
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 109  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 19:27:54 GMT

<hteeemel<body>>

<wrong>uh oh  
?exit=null  
</wrong>

```

Passing a random value will let you to discover that a *vim* command must be
used.

```  
TRACE /vim/quit/?exit=foo HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 104  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 19:28:49 GMT

<hteeemel<body>>

<erroror>

E492: Not an editor command: foo

  
</errorror>  
</flag>

```

Considering that the name of the parameter is `exit`, you have to discover
that `:wq` is the correct value to use.

```  
TRACE /vim/quit/?exit=:wq HTTP/1.1  
Host: web.ctf.b01lers.com:1003  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101
Firefox/73.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK  
Content-Type: text/html; charset=utf-8  
Content-Length: 102  
Server: Werkzeug/1.0.0 Python/3.7.7  
Date: Sat, 14 Mar 2020 19:30:59 GMT

<hteeemel<body>>

<flag> well done wait </flag>  
<text> this one/> <flag>pace_too}</flag>

```

Putting everything together will give you the following.

```  
1 2 3 4 5  
up_on_noodles_ tastes _good_in_s pace_too}  
```

At this point you can easily guess the first part of the flag (referred to the
PDF).

```  
pctf{ketchup_on_noodles_tastes_good_in_space_too}  
```

Original writeup (https://github.com/m3ssap0/CTF-
Writeups/blob/master/b01lers%20CTF%202020/Space%20Noodles/README.md).