Sunday, September 22, 2013

CSAW CTF 2013 :: Web: Nevernote (200 points)

The question provided by the challenge:

http://128.238.66.214

from: Nevernote Admin <nevernoteadmin@nevernote.com>
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Friend,
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
Thanks,
Nevernote Admin



The objective of the challenge is to obtain the note of the Nevernote Admin.

The link provided will show login page of Nevernote shown below. There is a link to the registration page to where an account can be registered.


 
I tried logging in with both username and password blank and I got into Nevernote without having to register. (Apparently they accept blank username and password for account creation and someone had registered using that)

 Upon logging in, Nevernote shows all the notes and mails received.






Since the objective of this challenge is to obtain the note of the admin, I opened up one of the note to take a look.



From the page where they show the note, I notice that there is a 'enc=' field. The 'enc=' field seems to be use to fetch the note and is useful for this challenge. I decided to test it using the field with ../ to see if it vulnerable to directory traversal attack .









 It does generate any error so I decided to try a few more.

and after a few tries...


It shows the admin note that contains the key for this challenge.

key{akjdsf98LolCats234lkas0!#@%23Ferrari134545!@#250saDucati9dfL$Jdc09234lkjasf}

Enter the key and flag captured. 200 points.

Once upon a time  ^-^,
whit3sn0w


No comments:

Post a Comment