from: Nevernote Admin < **email@example.com** >
date: Thurs, Sep 19, 2013 at 3:05 PM
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
Login via SQL injection with username/password 'OR''='
Using the given hint that ‘Admin’ always checks links, setup a script (I used PHP) somewhere on a public-facing server to capture the superglobals, esp. $_REQUEST, $_GET, $_POST & $_FILES, before sending a message to the Admin’s email address via the system itself
One of these variables (challenge is no longer accessible at the point of this writeup to verify precisely which) contains the requesting URL, which you should be sufficiently curious to explore by clicking through (IIRC it’s of the form http://challenge-url/?enc=XXX)
The flag/key is found in the contents of that message at the link captured