Attacking MongoDB's ObjectID • Asjid Kalam

Capture the Flag or more commonly known as CTF is a sort of firing range for hackers where they can test their skills and pick up a few new tricks , I personally believe that its a great way to keep you sharp and intrigued to learn new stuff.
Recently I attended a CTF conducted by NIT Calicut, It was a fun CTF with almost all Riddle-like challenges. In this post i’ll be describing how i solved a particular challenge from it.

What are these ID’s?

Category: Web

The challenge starts off with this link. We’re given a few Valid and Deprecated IDs. On further Googling, I found out that they are MongoDB ObjectIDs used to represent data in MongoDB.

MongoDB ID's

And the page source gave nothing useful other than a comment implying the _id should be used for some-kind of auth.

Page Source

First the all, the challenge doesn’t need any sort of authentication, so the comment is a little misleading. There was /log.html with some log data and timestamp, It had the ‘Added flag’ as it’s fourth entry and we had only 3 valid IDs. So it was clear that there was something to do with these timestamps.

log.html

On MongoDB’s documentation, it was clear that the ObjectID could be reproduced by finding the exact 12-bytes.

The 12-byte ObjectId value consists of:

a 4-byte timestamp value, representing the ObjectId’s creation, measured in seconds since the Unix epoch

a 5-byte random value

a 3-byte incrementing counter, initialized to a random value

In our case, the first 4-byte values could be reproduced since we have the exact timestamp of the Object’s entry. I used this website to convert the timestamp of ‘Added Flag’ to epoch.
First 4-bytes -> 5eaaa5ff0000000000000000

On looking closely at the given valid IDs, the second 5 bytes are same on all three entries, i.e 0464695443
Timestamp + 5-byte random value -> 5eaaa5ff0464695443000000

The last 3 bytes are the incrementing counter, on checking the valid ID’s final bytes, we could find a pattern

5ea57c1f04646954437af2be
5ea705df04646954437af2bf
5ea7f4ef04646954437af2c1

be, bf and c1. It follows a pattern from a1 to af and change to b1. So i was pretty sure that the next incremented value would be c2.
Final ID: 5eaaa5ff04646954437af2c2

So on senting a GET requests to /?_id with the ID,
flag

We get a reponse with the flag.

ieee_nitc{53cRet_b3hInd_M0ng0}