# 6 of Hearts Write-Up
### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/6_of_Hearts).
Copyright © 2020 Team 0x194. Some Rights Reserved.
This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)
For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/6_of_Hearts)
This challenge is on port `6868` of the target machine.
Visit the port, you will find yourself at a website named "Photos5u", which is a gallery presenting pictures of its users.
Examine closely the path of the pictures, you can find out that they follows the pattern of `/files/[userID]/[fileID]`, where `userID` is the initial of the author, and `fileID` is an incrementing integer starting from 0.
For example, the "Architecture by Barry deVillneuve" picture has the path of `/files/BD/0`. According to all the authors displayed on the homepage, we have at least 3 users: "Barry deVillneuve" with userID `BD`, "Tanya Wallace" `TW`, and "Malcom Cooper" `MC`.
Now let's try registering a new user "YECHS YECHS".
![Registering new user](https://0x194.com/img/write-ups/Metasploit%20Community%20CTF%202020/6%20of%20Hearts/new_user.jpg)
OK! So it seems like there is another path storing text files `/notes/[userID]/[fileID]`. Let's find out what the known users have posted here.
Under `/notes/MC/2`, a note caught our attention.
> Weirdest thing happened today. I was in the "Photos5u" main office and there was this woman, I think she was one of the techies, and she was ranting about "Eye Doors" or something to the owner. Apparently, our middle names are a threat to the site?!?!?
> Honestly, with middle names like "Ulysses Denise Donnoly" you'd think she'd be happy about hers being in use. Actually now that I think about it, she's probably embaressed about her intials.
So it seems like there is another user with userID `?UDD?`. It won't be too hard to bruteforce and find the userID.
At first we thought the middle name initial will be trimmed to a single character, *i.e.* `?U?`, but another experiment with registration proved that we were wrong.
While bruteforcing, it's clever to examine the return status code of `/notes/[userID]/0`, since the 0th note is guaranteed to exist for any valid user.
With a little bit of Python, we found out that the userID is `BUDDY`, and that our flag is located at `/files/BUDDY/2`.
Let's calculate its checksum to submit.
$ md5sum 2.jpg