CTF Writeup

March 14, 2019

The Dev Ops Fail Analysis Cranberry Pi terminal challenge

📍 Sparkle Redberry at 2nd floor go left from the stairs you will find him at your left.

Hi, I’m Sparkle Redberry!

Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.

I mean, I may have uploaded something sensitive earlier, but it’s no big deal. I overwrote it!

Care to check my Cranberry Pi terminal and prove me right?


1- Using ls command list all files and directories :

ls -la

2- Navigate to kcconfmgmt directory then list all files and directories :


now we have our .git folder

3- Let’s use log option to see commit logs :

git log


We found logs for add/remove action done by Sparkle Redberry And the modified file is: config.js :

commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b

Per @tcoalbox admonishment, removed username/password from config.js, default settings in config.js.def need to be updated before use

commit 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3

Add initial server config

4- Let’s use diff option to see commit modifications specially config.js file :

git diff 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3


We found password from add/remove actions :

- ‘url’ : ‘mongodb://sredberry:[email protected]:10073/node-api’

+ ‘url’ : ‘mongodb://username:[email protected]:27017/node-api’

The mongodb Standard Connection String Format :

mongodb://[username:[email protected]]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]

So the mongodb password is : twinkletwinkletwinkle

5- Let’s enter the answer twinkletwinkletwinkle into runtoanswer :



Oh my golly gracious - Tangle was right? It was still in there? How embarrassing!

Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us with.

I wonder if Tangle Coalbox has taken a good look at his own employee import system.

It takes CSV files as imports. That certainly can expedite a process, but there’s danger to be had.

I’ll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.

I’m sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.


CSV Injection Talk

Somehow Brian Hostetler is giving a talk on CSV injection WHILE he’s giving a talk on Trufflehog. Whatta’ guy!

OWASP on CSV Injection > OWASP CSV Injection Page