Attacking MongoDB's ObjectID
Capture the Flag or more commonly known as CTF is a sort of firing range for hackers where they can test their skills and pick up a few new tricks , I personally believe that its a great way to keep you sharp and intrigued to learn new stuff.
Recently I attended a CTF conducted by NIT Calicut, It was a fun CTF with almost all Riddle-like challenges. In this post i’ll be describing how i solved a particular challenge from it.
The challenge starts off with this link. We’re given a few Valid and Deprecated IDs. On further Googling, I found out that they are MongoDB ObjectIDs used to represent data in MongoDB.
And the page source gave nothing useful other than a comment implying the
_id should be used for some-kind of auth.
First the all, the challenge doesn’t need any sort of authentication, so the comment is a little misleading. There was
/log.html with some log data and timestamp, It had the ‘Added flag’ as it’s fourth entry and we had only 3 valid IDs. So it was clear that there was something to do with these timestamps.
On MongoDB’s documentation, it was clear that the ObjectID could be reproduced by finding the exact 12-bytes.
The 12-byte ObjectId value consists of:
- a 4-byte timestamp value, representing the ObjectId’s creation, measured in seconds since the Unix epoch
- a 5-byte random value
- a 3-byte incrementing counter, initialized to a random value
In our case, the first 4-byte values could be reproduced since we have the exact timestamp of the Object’s entry. I used this website to convert the timestamp of ‘Added Flag’ to epoch.
First 4-bytes ->
On looking closely at the given valid IDs, the second 5 bytes are same on all three entries, i.e
Timestamp + 5-byte random value ->
The last 3 bytes are the incrementing counter, on checking the valid ID’s final bytes, we could find a pattern
c1. It follows a pattern from
af and change to
b1. So i was pretty sure that the next incremented value would be
So on senting a GET requests to
/?_id with the ID,
We get a reponse with the flag.