inodat writeup

Starting the challenge, the main page looks like this. Not very much info…

The first thing to do that came to my mind was to fuzz the app. After using some popular fuzzers like ffuf, gobuster, dirbuster I managed to find some endpoints.

http://34.107.26.201:30987/api/v1/index which shares us other two endpoints: base64e and base64d

Both pages output an error. Thinking there must be more to this, I thought about fuzzing for GET paramters and found that using the parameters “data” gets rid of the error. Shortly, given the endpoints name, I figured out that they just get some input through the data parameter and either encode or decode the data in base64, plaintext respectively.

Other endpoints I found are:

1. http://34.107.71.117:32214/api/v1/math
2. http://34.107.71.117:32214/security.txt
3. http://34.107.71.117:32214/test.txt
4. http://34.107.71.117:32214/c99.php

After checking all of them, the math one looked the most interesting, but also outputted an error so I started fuzzing again for GET parameters and found the “sum” one.

I thought that if I found the right payload, I would be able to execute some code using that parameter, but after many tries I still felt I’m missing some info. From the error, I learnt the app uses a Node.js backend and one result that made me think I’m on the good path was after I tried this payload(amongst many others).

At this point, I got very frustrated with this challenge so for three days I just went back and forth with it until I decided to try another fuzzing tool by chance and got the info I needed to figure out how to solve this challenge.

Aparently there were some endpoints that I completely missed somehow, but dirsearch came to my rescue. The important one here is “/public” and its contents.

I eventually found the source code of the app.

http://34.107.26.201:30116/public/ywuvduwifvbypsauigvcbdsa.js

This was the part that mattered to get the flag. From here I just did some research on Google to find the right payload to read the flag.

These were the commands I was able to execute and find the flag.

require(%27fs%27).readdirSync(%22./%22).join(%22%20%22)
require(%27fs%27).readdirSync(%27./secret_flag_folder_adsasdohi%27).join("%20")
require(%27fs%27).readFileSync(%27./secret_flag_folder_adsasdohi/flag.txt%27,%20%27utf8%27)

After the last command, the flag will be output.

As a final review, I’ll say that this challenge was really interesting for me as it taught me what it means to search throughly and use every resource and idea you get. It was a medium difficulty challenge on Cyber-Edu and I think it deserves this rank, because for me, as a begginner, it really posed a good challenge.