write-ups-challenges-2024-2025/peanutbutter-challenges/peanutbutter-extra-secret-post/SOLUTION.md

25 lines
2.0 KiB
Markdown
Raw Normal View History

2024-11-25 21:31:56 +00:00
## Difficulty
??
## Category
Web
## How To Solve
When you try to access the page `/posts/ebddb7db-b20a-4e8f-b9e9-954e1c07ab83`, you see that you have no access to the blog post. The network tab in the Chrome DevTools shows that a GET request is made to the server that responds with an array of blog posts. This is the same request as is made on the homepage to show the list of blog posts (except for the hidden one). The fact that all the blog posts are also fetched on this page is quite strange. In fact, before showing any blog post content, the client first fetches all blog posts and checks whether the visited blog post id is contained in the fetched blog posts list.
When visiting other blog posts, another request is made to the server after the blog post id was succesfully matched with the list of previously fetched blog posts. This other GET request obtaines the actual blog post content (`<server>/posts/<blogpost-id>`). Notice however that the server doesn't check the id on this this request, as it (stupidly) assumes that this already happened on the client. Simply executing this request using the given id should be sufficient to obtain the flag.
You can for example do this by right clicking the request, occuring in other blog posts, in the network tab of the DevTools. Then select copy as cURL, replace the other blog post id with the given blog post id, and perform the request, in your terminal for example.
```bash
> curl 'http://localhost:3000/posts/ebddb7db-b20a-4e8f-b9e9-954e1c07ab83' \
-H 'Accept: */*' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,nl;q=0.7' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'DNT: 1' \
-H 'Origin: <ORIGIN>' \
-H 'Pragma: no-cache' \
-H 'Referer: <REFERER>'
{"name":"The other, even more secret secret of peanut butter","id":"ebddb7db-b20a-4e8f-b9e9-954e1c07ab83","show":false,"list":false,"content":"IGCTF{Pe4nut_Butt3R_1s_n0t_made_froM_butTEr}"}%
```
## Flag
`IGCTF{Pe4nut_Butt3R_1s_n0t_made_froM_butTEr}`