Bashful

After it was made easier the challenge became too easy. Infact for solving this task it was just needed to download this git .pack file:

bashful.9447.plumbing/.git/objects/pack/pack-deff83d57714493c6d317394f3542da8e396f887.pack

and unpack it with:

git unpack-objects < pack-deff83d57714493c6d317394f3542da8e396f887.pack

and grab flag:

git cat-file blob 2d28acf09fc4424f7e1701bd7c8a6df29e6c9fe1

9447{I_JUST_THINK_BITCOIN_WILL_DIE_OUT_SOON}

Coffee

Another pretty easy challenge was coffee which involved another web app with nodejs and express. Basically it was about basic NoSQL injection in the username and password field using socket.io library. To know it was about NoSQL you should have spotted the /nodes_modules/ directory where you could have seen mongodb directory.

Exploit: http://pastebin.com/kJZyTuQB

Razor4x