Rating:

# 6 of Hearts Write-Up

### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/6_of_Hearts).

For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/6_of_Hearts)

-----

This challenge is on port 6868 of the target machine.

Visit the port, you will find yourself at a website named "Photos5u", which is a gallery presenting pictures of its users.

Examine closely the path of the pictures, you can find out that they follows the pattern of /files/[userID]/[fileID], where userID is the initial of the author, and fileID is an incrementing integer starting from 0.

For example, the "Architecture by Barry deVillneuve" picture has the path of /files/BD/0. According to all the authors displayed on the homepage, we have at least 3 users: "Barry deVillneuve" with userID BD, "Tanya Wallace" TW, and "Malcom Cooper" MC.

Now let's try registering a new user "YECHS YECHS".

![Registering new user](https://0x194.com/img/write-ups/Metasploit%20Community%20CTF%202020/6%20of%20Hearts/new_user.jpg)

OK! So it seems like there is another path storing text files /notes/[userID]/[fileID]. Let's find out what the known users have posted here.

Under /notes/MC/2, a note caught our attention.

> Weirdest thing happened today. I was in the "Photos5u" main office and there was this woman, I think she was one of the techies, and she was ranting about "Eye Doors" or something to the owner. Apparently, our middle names are a threat to the site?!?!?
>
> Honestly, with middle names like "Ulysses Denise Donnoly" you'd think she'd be happy about hers being in use. Actually now that I think about it, she's probably embaressed about her intials.

So it seems like there is another user with userID ?UDD?. It won't be too hard to bruteforce and find the userID.

At first we thought the middle name initial will be trimmed to a single character, *i.e.* ?U?, but another experiment with registration proved that we were wrong.

While bruteforcing, it's clever to examine the return status code of /notes/[userID]/0, since the 0th note is guaranteed to exist for any valid user.

With a little bit of Python, we found out that the userID is BUDDY, and that our flag is located at /files/BUDDY/2.

Let's calculate its checksum to submit.

console
\$ md5sum 2.jpg
628fd217328ae42080d697a65a39d8e1 2.jpg


Original writeup (https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/6_of_Hearts).