Difficulty:

Notes:

Rabbit Holes:

  • Flag submission did not work so I searched around for another hour trying to find the flag somewhere on the system

Solution:

  1. Register new account
  2. Use Directory Traversal on /avatars to dump sourcecode
    • index.js
    • avatarmaker.js
    • package.json
    • .env
  3. index.js has hardcoded JWT Secrets
  4. Admin user has note with the flag
  5. Use https://jwt.io/ to create a new Token with username=admin and given secret
  6. Get Admin Notes via /home with crafted Token
  7. Get Flag from HTTP Response

Flag

Remediation: