szymanski.ninja
About
CTF Writeups
Contact
pl|en

Securebug.se CTF Odin 2021: Objects

Objects

Category: Web Security

200 points

I love mango and i love db too.

Link: https://ch8.sbug.se/

Solution

At the beginning I’ve been greeted by this simple page.

hi

Then I found robots.txt.

robots

Below is the content of l0g.hacker and index.php~.

<?php

if ( $_GET['flag_id'] == $flagid ){ echo $flag; }
 

/*

u need to get the flag ID, and use this ids ;)

IDs:
5ceb45045c1fa2a0df9f3da7
5ceb749d5c1fa2a0df9f3da8
5ce2bf6c5c1fa2a0df9f3da9

i love mongo remember that.

*/
Mon May 27 2019 10:01:40 GMT+0800 (UTC)   Start service
Mon May 27 2019 13:24:45 GMT+0800 (UTC)   Start database
Sat May 20 2019 22:53:32 GMT+0800 (UTC)   Start Updated
Fri May 30 2019 12:46:59 GMT+0800 (UTC)   Flag Added Here

Ok, so it seems that every ID corresponds to database event. The one unknown is for Flag Added Here. So the job in this challenge is to calculate the ObjectID. I’ve achieved it with two steps.

  1. I didn’t understand how IDs are generated, so first of all I’ve installed pymongo and tried to generate the Object as below (the 2019, 5, 30, 4, 46, 59 is taken from the logs taking into account the time zone).

    import bson
import datetime
bson.ObjectId().from_datetime(datetime.datetime(2019, 5, 30, 4, 46, 59))
  2. Above gave me an ObjectID 5cef60430000000000000000. It seemed like something was missing here. By something I meant incrementation part. I took 5c1fa2a0df9f3da9 from the last timestamp. Incremented it by 1, which gave me 5c1fa2a0df9f3daa. Combined together with my ObjectID gave me 5cef60435c1fa2a0df9f3daa.

Going to https://ch8.sbug.se/index.php?flag_id=5cef60435c1fa2a0df9f3daa gave me the flag.

flag

Flag

FLAG{0bj3ct_Id$_!s_w0Nd3rFul}

Privacy Policy
luc © 2021