Earlier this week my buddy Aaron and I had the rare opportunity to seek revenge on the very Russian hackers responsible for *shudders* President Trump. Their challenge was presented in the form of a text file:
Despite the threat of harpsichord-wielding Russian women of “low growth”, we cloned their repository and booted up the rails server (Turns out you can just type “rails s”). Upon opening their app we were greeted with the threat of execution as well as our first clue…
But what was this “dbaf78yh3n3r2rfwfnd8andfh” and what protocol were supposed to send to it? We decided, based on our previous experiences with Ruby, that perhaps the routes file was a good place to start. Using command+F we plugged in our mysterious string of random characters which we figured must be a url.
Indeed it was a url pointing to another random string of characters (ncu3fn8u) in the systems controller. Perhaps in this controller file we would find the “proper protocol” to send to our url.
Reading the controller file we discovered that the proper protocol was a parameter with the key :secret and the value “nasdf82fe2”. Combining this information with the original url we were given we were able to open the first gate. Here’s what the URL syntax looked like:
Turns out the rest of the systems controller file was essentially a step-by-step guide to unlocking the rest of the gates. However, there were several Russian tricks still to come. Here was our next puzzle:
We determined that the &&session[:gates] ≥ 1 meant we could only complete this step after having opening the first gate. We knew that like the first step we would have to pass the string “centerfuge” to the :operation parameter, but we weren’t sure which syntax to use.
At first we tried using the /?operation=centerfuge syntax but that was no good. We decided that since the key/:operation was included implicitly in the url maybe we should just replace its value centerfuge.
The next gate involved a get route as well as a post route.
We knew the password was Budapest but where was it supposed to go? The url associated with the “c34ew” was a post route. Therefore, we had to find a form. Searching for “sduf3” in the routes controller brought us to this URL:
And with that, we had opened all the gates!
…but our systems controller was out of hints and how in the world do you send a delete request? Looking in the routes file we found only one url which would accept a delete request.
Maybe our answer was hidden in the v1/folders controller?
There end was in sight! Their government secrets would soon be ours! Unfortunately, I fixated on the wrong details of this code and thought that somehow by setting session[:pin_tumbler] to “cryptology” it would send the mysterious delete request for me. After many unfruitful googles, I began to believe that perhaps the Russians had won. Luckily, Josh was able to point us to Postman. Postman is a software that is able to send the sort of requests that we can’t send from our browsers. After finally sending the delete request to the specified url we found the files!
Turns out the Russians are way into flying poptart cats. Who knew…
In sum, if you know how to navigate a rails app and pass in a few secret parameters you can sometimes get your hands on some interesting stuff!