Monday, September 23, 2013

CSAW CTF Quals: Web 200

Web 200- Nevernote

Upon visiting the IP given, we encounter a login page.  After making a user and messing around with the site for a while, we made a few discoveries. 
First, there were two major functions:
                Message sending between users
                Note keeping for user accounts

Each type had its own webpage, but displayed the information relatively the same way.  They also retrieved information in the same way: using a long hash of some kind

ex: OGYwH6NoIW8tFXlruRu5Byd%2BA33Wl7C8s%2BTyZ0yza983uclRUJJwGUU1xRm1AYxNsFxBJXN0eim7vXNC0BJBnLGooE%2F3K5HFZys35A90XFEYuGfMN0EMoJwMADyivk1h7Gi%2FnQINWjGTqfX0OpFU0wHQr9FeD2Bi%2F6p0USZ7Ync%3D

The two pages were viewmessage.php and editnote.php.

From what we could tell, the content of the message did not change the hash in any way.  From this we assumed that the hash was related to its index or similar. 

The next thought we had was to see if the messages and notes were stored in the same places.  After copying the hash from the first of my notes and pasting it into the messages, I was able to see a message I hadn't seen before and a list of notes that didn't belong to me.  So we continued following down that rabbit hole. After a couple iterations of doing the same thing, selecting from the new list of notes every time and moving the hash to messages, we managed to reach a note at:

The note was titled key and the body of the note said:

And there it was.



No comments:

Post a Comment