At our software development company, one of the top developers left in anger. He told us that he had hidden a backdoor in our node.js server application – he thinks that we can't find it even if we try. I have attached the source code of our fileserver. After registration, you can log in, upload files and create access tokens for your files that others can use to retrieve them. He must have added some way to retrieve files without permission. And we don't have version control, so we can't just check his last commits. We have read the source code multiple times, but just can't figure out how he did it. Maybe he just lied? Can you help us and demonstrate how the backdoor works? We have uploaded a file to “/files/testuser/flag.txt” – please try to retrieve it.
Connect to https://wildwildweb.fluxfingers.net:1409/. Note that all your files will be purged every 5 minutes.
Source code diberikan, dan sudah ada yang mengupload di sini:
Waktu memabaca source codenya, sebenarnya sepertinya semuanya tidak mungkin dipecahkan. Tapi ketika saya run, hmac yang dihasilkan selalu sama. Setelah diperhatikan dengan hex editor, ternyata ada huruf yang memakai unicode, jadi HMAC-nya selalu sama.
Dengan meng-cut source codenya, kita bisa menghasilkan signature untuk flag yang diminta:
Jadi kita tinggal akses filenya di url: files/testuser/flag.txt/HASH