Back to the Pizza 2

Challenge#

Dear Marty, If my calculations are correct, you will receive this letter immediately after you’ve placed an order at the pizza shop. I’m desperate for pizza. You know where I am, and remember: do not forget to think four-dimensionally in UTC! — Doc Emmett L. Brown

Application: https://pizzamario2025.mendixctf.com

Difficulty: Medium

Solution#

Just one of those challenges…

When you need someone to spell out the solution.¹

In the order process you can set the delivery date. Set it to a date in the past (before 01/01/1970). This will give you a clue Do you expect us to use a DeLorean to deliver at Fri, 14 Nov 2025 4:43 PM?.

The Mario.DeliveryVehicle table contains a record for DeLorean DMC-12 with a “Secret” attribute. But we cant modify this record.

]

The Mario.Order entity is the only entity referencing DeliveryVehicle. Update one of your own orders to have the association Mario.Order_DeliveryVehicle set with the GUID of the DeLorean DeliveryVehicle. Now you have write access to the DeLorean DMC-12 record. Change the T_UE attribute to epoch: -2661177600000². That will give you access to the Secret attribute.

Vulnerability#

This maps to TSU-02: Insecure entity access. When entity access rules are based on user-controlled attributes, the XPath constraint can be manipulated by the user that it is supposed to restrict. Opening a path to data leakage, privilege escalation or validation bypasses.

Flag#

Everything is a remix.