Web [266 pts]
When we first visit the web page, we don’t get much information about the server or client. No cookies, no hidden directories, or anything. Therefore, to work with what we have, we navigate to the tabs given.
Looking at the flag page, we see an arrangement that looks like a document used on a NoSQL database, like MongoDB.
The ObjectId is “not indexed at the moment”, but in the “Confinement” tab, it is indexed and all the information seems there and accessible.
Clicking on one of the links leads us to a page with the following url: /item/objectId:
So in MongoDB, ObjectId’s are calculated by a 4-byte timestamp value, 5-byte random value, and 3-byte incremental counter.
So knowing this, in the flag page, we are only given the timestamp. There is a way to retrieve an ObjectId if you have a timestamp. Using this link, we can use the given timestamp to get an ObjectId.
We notice that the middle 5-bytes are all the same, so this must be the system Id being used for all objects. Therefore, the last piece is to find the incremental counter to get a valid objectId for our flag.
We only need to do a small brute-force on the last digit, using the new ObjectId calculated from the given timestamp and the same SystemId used for all objects.
Doing so, we are able to retrieve the first and second flag by following this process: