fdb-proxy challenge

A FoundationDB cluster sits behind a gate proxy. Find the flag.

The setup

An FDB cluster is fronted by gate — a biscuit-authenticating, tenant-chrooting proxy. You can talk to it only with a valid signed token, and the token decides which tenant's keyspace you see.

Click the button below to receive a fresh cluster file minted for tenant alice. The token has a short TTL; refresh whenever yours expires.

A flag is hidden somewhere in this cluster, in a tenant that is not alice. Through the gate you are chrooted to alice's slice of the keyspace. Your job is to read what you shouldn't be able to read.

Get your cluster file

Install the FoundationDB client

You need the FDB client library (libfdb_c) and the fdbcli binary, both at version 7.x (the gate currently supports 7.x only).

Linux (Debian / Ubuntu)

FDB_VERSION=7.4.0
curl -L -o /tmp/fdb-clients.deb \
  https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/foundationdb-clients_${FDB_VERSION}-1_amd64.deb
sudo dpkg -i /tmp/fdb-clients.deb

Linux (RPM-based) and other platforms

Download the matching foundationdb-clients package from the FoundationDB releases page (Linux .rpm, macOS .pkg, Windows .msi). Anything in the 7.x series works.

Verify the install

fdbcli --version
# FoundationDB CLI 7.4 (v7.4.0)

Use it

Save the downloaded file as alice.cluster, then point fdbcli at it:

fdbcli -C alice.cluster --exec "writemode on; set hello world"
fdbcli -C alice.cluster --exec "get hello"
#   `hello' is `world'

If your token expires (default 1 hour) you'll get an auth error on the next connect — just hit the button again for a fresh one.

Hints

• Read the gate sources and docs. Specifically the architecture notes under doc/architecture/ and the security notes under doc/security/.
• The proxy enforces a tenant prefix on user keys. What does it not enforce?
• Not every part of FDB's keyspace is "user keys".