---
# System prepended metadata

title: Voice Changer - UofTCTF 2024
tags: [ctf-writeup, web exploitation, UofTCTF 2024, RCE]

---

# Voice Changer - UofTCTF 2024

## Description
I made a cool app that changes your voice.

Author: Ido

https://uoftctf-voice-changer.chals.io/ 

## Solution
This challenge is a web that is capable of recording a voice and changing the pitch of the recorded voice.

![Web challenge](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/image1.png)

After submitting the audio, there will be `ffmpeg` command which is used to change the pitch of the audio.

![ffmpeg command to change the audio](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/image2.png)

After further investigation using Burpsuite, the parameter for pitch is vulnerable to OS command injection.

![Intercept request on Burpsuite](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/image3.png)

Now let's try to see the list of all files and directories in current directories.

```
1$(ls)
```

![ls command injection](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/image4.png)

From the results, there is no sign of the flag file being searched for. Let's try to see all files and directories in root directory.

```
1$(ls -a /)
```

![secret.txt might be the flag](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/image5.png)

From the results of `ls -a /` command, the `secret.txt` file is probably the flag that we are looking for. To get the flag, run the following command.

```
1$(cat ../secret.txt)
```

![Flag](https://raw.githubusercontent.com/n1mdacybersec/CTF-Write-Up-Collection/main/2024/UofTCTF/Web/Voice%20Changer/flag.png)

## Flag
`uoftctf{Y0UR Pitch IS 70O H!9H}`