MozillaCTF Write-Up Kill the Kraken (200)

January 27, 2012

The description states

The kraken is an evil creature that needs to be put down.

So, we found that there is a user called kraken in Spark. Killing the kraken probably means deleting the account. How can we delete an account? Yes, we can generate the recovery token if we know the e-mail address. But well, we don’t that, do we?

Looking at the last challenge, we saw a URL for the user. In our case, the user was called “sqrtsben” and the link was /en-US/users/737172747362656E. We first thought that this might a be user ID of some sort stored in the database. But, looking again, we see that the ID has exactly double the length of our username. Having a idea of what the ASCII table looks like helps here – 0x73 is the number for “s”, 0x71 for “q” and so on. So, this is actually the username represented in hex.

Now that we know that, we can generate the correct user ID for the kraken, which is “6B72616B656E”. Opening the coresponding page shows us the e-mail address. The knowledge from the last challenge lets us generate the right token, so we can reset the password for the kraken and delete it. After deleting it, we get a message stating our flag.

Leave a Reply

Get Adobe Flash player