Snyk Fetch the Flag CTF 2023 writeup: Audiopolis

Thanks for playing Fetch with us! Congrats to the thousands of players who joined us for Fetch the Flag CTF. If you were at Snyk’s 2023 Fetch the Flag and are looking for the answer to the Audiopolis challenge, you’ve come to the right place. Let’s walk through the solution together!

Audiopolis presents the player with an interesting web app that claims to provide speech-to-text capability. Give it a .wav file and it will give you a transcript of that .wav file.

The player doesn’t know this immediately, but the transcript is printed to the page by echoing the text generated from the .wav file. So this web app is vulnerable to command injection if we can figure out how to give the app a special character as an input.

The text2wave program is a good way to generate payloads for this challenge. We can experiment to find a command injection by giving it the sleep test:

$ echo "hello, ampersand, sleep, one, zero" > payload && text2wave < payload > payload.mp4

This will stall the page for 10 seconds, proving command execution.

From here, it’s simply a matter of finding the right thing to say to locate and print out the flag:

$ echo "hello, ampersand, cat space flag period txt" > catflag && text2wave < catflag > catflag.mp4

Thanks for making Fetch happen!

A huge thank you to all the teams in Fetch the Flag 2023! It was great seeing all of you there and you can always find me on YouTube.

Here are the writeups for the other 2023 challenges. Dig in!

• Honey Baked Messages

• I Do Math

• Off the SETUID

• Protect The Environment

• Silent Cartographer

• Writeups from the community!