CSAW CTF 2013: Web200 writeup

 Nevernote - 200 Points @ https://ctf.isis.poly.edu/challenges

from: Nevernote Admin < **nevernoteadmin@nevernote.com** >
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.

Nevernote Admin


  1. Visit URL as instructed
  2. Login via SQL injection with username/password 'OR''='
  3. Using the given hint that ‘Admin’ always checks links, setup a script (I used PHP) somewhere on a public-facing server to capture the superglobals, esp. $_REQUEST, $_GET, $_POST & $_FILES, before sending a message to the Admin’s email address via the system itself
  4. One of these variables (challenge is no longer accessible at the point of this writeup to verify precisely which) contains the requesting URL, which you should be sufficiently curious to explore by clicking through (IIRC it’s of the form http://challenge-url/?enc=XXX)
  5. The flag/key is found in the contents of that message at the link captured
  6. Profit!

Now read this

How I gained access to Amazon EC2 servers from Github Search (adapted)

Github Search allows advanced filters that allow us to search for these private keys @ link. This looks for: private keys with a .pem extension “BEGIN RSA PRIVATE KEY” text that marks the beginning of a private key sorted by most... Continue →