Statement:
Just as the sweet smell of coffee began to fill Le Procope, a woman interrupted the calm of the cozy room. Straight out of the 18th century, Olympe de Gouge bursts in and rushes to your table.
You!" she exclaimed.
- Me?" you reply.
- Yes, you, take this letter urgently to Anne-Catherine Helvétius.
- To whom? What’s it about?
- I can’t explain now, but the contents of this letter could change the course of history, so don’t waste any time."
And before you could question her further, she walked through the door and out of the coffee shop.
In utter bewilderment, you begin to peruse the letter…
The website is fairly quick to analyze, and contains the following home page :
The home page contains the following redirect link :
https://ddfc.challenges.404ctf.fr/ddfc?expiry=-5625891076&signature=wawF6dC4Hz9g5NyCc3j1KCDcfztFE/sp
Modifying the URL parameters produces the following errors :
- Expired link
- Invalid signature
- Missing signature or expiry
Analyzing the URL, I notice the following points:
- The expiry parameter corresponds to the date below :
date -d @-5625891076
Wed. Sept. 21, 1791 12:38:05 LMT
- The signature parameter which seems to be base64 encoded
I spent many hours trying to find a method of hash collision between the expiry and signature values, but given my poor knowledge of cryptography, I changed my approach.
So I decided to concentrate on GET parameters and try to exploit an HTTP Parameter Pollution vulnerability.
I add the expiry parameter a second time in the GET request to observe the behavior :
https://ddfc.challenges.404ctf.fr/ddfc?expiry=-5625891076&signature=wawF6dC4Hz9g5NyCc3j1KCDcfztFE/sp&expiry=
The website responds with the Missing signature or expiry error message when it should respond with Expired Link if the parameter was not interpreted.
In view of the site’s response, this method seems to be fallible.
I add now an unexpired timestamp to the second expiry value :
https://ddfc.challenges.404ctf.fr/ddfc?expiry=-5625891076&signature=wawF6dC4Hz9g5NyCc3j1KCDcfztFE/sp&expiry=5625891076
I can now access the Declaration of the Rights of Woman and of the Citizen.
Flag: 404CTF{l4_p011uti0n_c_3st_m41}