Home HackyEaster 2023 Igor's Gory Passwordsafe
Writeup
Cancel

Igor's Gory Passwordsafe

Challenge

You found the following letter:

Hi Peter

Thanks again for your help in cryptography to make the passwordsafe secure. Now

  • The passwords of the user are stored in a irreversible way (bcrypt)
  • All passwords in the safe are encrypted by a strong symmetric key

Kind regards, Roy

Open the passwordsafe at at http://ch.hackyeaster.com:2312 to get your 🚩 flag.

Note: The service is restarted every hour at x:00.

Solution

website where we can create an account, then add passwords to our vault, en from there there is an option to copy, edit or delete the passwords in the vault

So we create an account. We cannot make one with the name igor, so probably we need to impersonate igor to get into his vault?

When we create a password, it gets id 12, I wonder why it starts there..

We find the code for copying a password, its a simple call to /get/<id> ..so let’s just try some other ids?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$(document).ready(function () {
    console.log("Application is running")

    $(".copypassword").click(function (obj) {
        if (obj.target.id.startsWith("copypassword_")) {
            id = obj.target.id.split("_")[1];
            $.get("/get/" + id, function (data, status) {
                if (status == "success") {
                    navigator.clipboard.writeText(data);
                }
            });
        }
    });

    $(document).ready(function(){
        setInterval(flashingEyes,1000);
     });
     function flashingEyes(){
        $("#eyes").fadeIn(400).delay(200).fadeOut(400);
     }

});

In the end, we find our flag when we try id 07 (by simply going to http://ch.hackyeaster.com:2312/get/07), we get the response he2023{1d0R_c4n_d3str0y_ur_Crypt0_3ff0rt}

The flag refers to Insecure direct object reference (IDOR)

(other id’s contain responses like SQLI_doesnt_help, verySecure, Well_not_the_flag, White_Rabbit_99)

ok, that was.. easier than I thought it was going to be ..was definitely overthinking this one for the longest time.

Flag

he2023{1d0R_c4n_d3str0y_ur_Crypt0_3ff0rt}