Level - Medium
Description:
Server - http://byuctf.xyz:40018/
Admin bot - http://byuctf.xyz:40019/
[notes.zip]The goal is to have the bot visit a page of your own to share the note with the flag with you. Since you know the note ID of the flag note ('0'*32), you can use an HTML page like solve.html, which will automatically fill out a form with the required information and submit it to localhost, which the admin bot has signed into.
The bug with the CSRF tokens is it checks for one, but it doesn't check who was given the token, nor does it revoke the tokens after a certain amount of time! This means you can just get a token of your own and use it, and the server will be none the wiser!
To do so, follow the steps below:
- Save
solve.htmland runpython3 -m http.serverin the local directory to have a web server running on port 8000 - Run ngrok by doing
ngrok http 8000- it will give you a unique subdomain in theForwardingfield. - Go to the website and create an account for
legoclones, and log into it. - Go to the admin bot and submit the subdomain given by ngrok +
/solve.html, likehttps://723b-128-187-116-14.ngrok-free.app/solve.html. - When the admin bot visits the page, the form will automatically be submitted and the flag note will be shared with
legoclones. - Back onto the main site, see your list of notes and the flag will show up!
Flag - byuctf{1_thought_th4t_w4s_pretty_cl3v3r}
This challenge should be a Docker container that runs the Flask server server.py on port 40018, and the admin bot portal admin_bot.js on port 40019. All the proper files are included in here. The command to build the docker container is (when located inside of this directory):
sudo docker build -t notes2 .
sudo docker network create -d bridge notes2The command to start the challenge is:
sudo docker run -p 40018:1337 -p 40019:1336 --detach --name notes2 --network notes2 notes2:latestThe command to stop the challenge is:
sudo docker stop notes2