I have created what I believe to be the best website ever. Or maybe it’s just really boring. I don’t know.

After checking the source code of the page, I noticed the following comment:

Then, I decided to check log.txt file.

Now, we know the flag is in the database. After watching the web browser’s network traffic during the load of the index page, I found the following request:

Here is the response of the request.

This request makes an SQL query to retrieve the information. Let’s play with it a little bit.

It simply returns exactly 3 objects from the database using their ids. I tried to find some SQL Injection, but failed. Then, I started to analyze the working 3 object ids. They are 96-bits and log.txt only provided us the timestamp of the flag’s addition. The only thing that came in my mind was the ObjectIds.

An ObjectId is a 12 byte BSON type and it is in the following structure:

  • The first 4 bytes are the seconds since the unix epoch
  • The next 3 bytes are the machine identifier.
  • The next 2 bytes are the process id.
  • The last 3 bytes are the counter value.

Let’s calculate the first 4 bytes using the flag’s addition time Sat Mar 17 2018 16:24:17 GMT+0000 (UTC).

We can use this website to convert the timestamp to the hexadecimal. Our result is 5aad4131.

We will retrieve the machine id and process id from the known ObjectIds.

MachineID is e07e1e.

ProcessID is 001c.

Our counter value should be the last counter value + 1 which is fce6d5.

If we merge them all, our flag’s ObjectId is 5aad4131e07e1e001cfce6d5.

Let’s try to retrieve the flag using the ObjectId we found.

Here is the flag actf{0bj3ct_ids_ar3nt_s3cr3ts}.