32 lines
1.1 KiB
Markdown
32 lines
1.1 KiB
Markdown
## Difficulty
|
|
|
|
Medium
|
|
|
|
## Category
|
|
|
|
Web
|
|
|
|
## How to solve
|
|
|
|
The goal of this challenge is to see the photo uploaded by the administrator.
|
|
It should be clear, given the source code, that a photo is automatically uploaded as part of the challenge.
|
|
|
|
When analyzing the communication between the frontend and the backend through the DevTools, or by inspecting the source code, you can see that there is no check if a user likes or un-likes a private photo they do not have access to. The ability to like private photos of other users is not a risk by itself, but the like endpoint also returns the updated photo.
|
|
|
|
Liking the adminstrator's photo (which has id 1) will return the caption of the photo, containing the first flag.
|
|
The following curl command returns the flag in the response:
|
|
|
|
> [!NOTE]
|
|
> You will need to create an account to use the /like route.
|
|
> To use the command below, replace <YOUR_COOKIE> with your session cookie.
|
|
|
|
```bash
|
|
curl --cookie "connect.sid=<YOUR_COOKIE>" --request POST http://localhost:3000/api/photos/1/like
|
|
```
|
|
|
|
## Flag
|
|
|
|
```
|
|
IGCTF{jUsT-a-sma11-data-l3ak}
|
|
```
|