Byte Babies
JerseyCTF 2025: Time-of-Date
Mar 30, 2025 - me - writeup, webauthor: @wxrth
Challenge Info:
Category: Web
TL;DR:
This challenge looked like a harmless date formatting demo, but behind the scenes, it was vulnerable to unsanitized shell command injection. I injected ;cat /home/secureuser/app/flag.txt into the format parameter and retrieved the flag.
The Challenge (Solution):
The site presented a basic form of time formatting. The URL looked like this:
http://time-of-date.aws.jerseyctf.com/?format=%22%Y-%m-%d%22
Website response:
It displayed the current date, and nothing more. But the challenge title - “Time-of-Date” - and the hint:
“Never trust user input.”
…indicated the input might be handled insecurely.
Step 1: Just playing around:
First thing I did was try some random inputs, like:
http://time-of-date.aws.jerseyctf.com/?format=%Y123
The website responded with:
So %Y showed the year, and 123 just got added after it like normal text. That told me the input was being passed straight into the date command.
From the way it acted it was clear the server was running something like:
date +"<user_input>"
Which meant I could try adding other commands after it using ;.
Step 2: Chasing the Flag:
My first instinct right after was to read /flag.txt:
http://time-of-date.aws.jerseyctf.com/?format=;cat%20/flag.txt
The website responded with:
Well would you look at that I found some kind of path (I boxed it in red so it’s clear).
Since the error showed this path:
/home/secureuser/app/dist/index.js
I figured the app was running out of the /home/secureuser/app directory. So why not list what’s in there?
So I ran this:
http://time-of-date.aws.jerseyctf.com/?format=;ls%20/home/secureuser/app
The website responded with:
there it is. flag.txt just sitting there.
Step 3: LETS GRAB THE FLAG:
Next up, I went straight for the flag with:
http://time-of-date.aws.jerseyctf.com/?format=;cat%20/home/secureuser/app/flag.txt
The website responded with:
No date, no formatting just the flag printed right to the page. :)