Skip to main content

Magic Link 1

Challenge

Content preserved from the original writeup source. Minimal normalization was applied to fit platform format.

Solution

Original Writeup Content (Preserved)

Magic Link 1 (100) Writeup

Challenge: bluehens-magic-link.chals.io
Flag format: udctf{}

Summary

The challenge was solved through sensitive file exposure. The application publicly served its environment file at /.env, which contained a token value already in flag format.

Recon

  1. Loaded the homepage and identified a Flask app with a magic-link form posting to /login.
  2. Tested /login directly and observed metadata leakage in the JSON response (email, datetime, IP, uuid).
  3. Checked robots.txt and found disallowed endpoints:
    • /inbox
    • /dashboard
    • /.env

Endpoint Checks

  • /inbox returned 403 Forbidden.
  • /dashboard redirected to / when unauthenticated.
  • /.env was accessible and returned plaintext secrets.

Key Leak

Request:

curl -sS -i https://bluehens-magic-link.chals.io/.env

Response contained:

TEDDYS_EMAIL=teddy@udctf.com TEDDYS_TOKEN=udctf{d0n7_h057_y0ur_3nv_f113} ADMIN_EMAIL=admin@udctf.com INBOX_URL=http://localhost:5050/inbox?token=${TEDDYS_TOKEN}

Flag

udctf{d0n7_h057_y0ur_3nv_f113}

Root Cause

The server exposed environment configuration at a web-accessible path. Environment files commonly contain credentials, tokens, and internal URLs, and should never be served by the web application.

Defensive Fixes

  1. Block access to dotfiles and sensitive filenames at the web server/proxy layer.
  2. Keep secrets in a proper secret manager and inject at runtime.
  3. Disable directory/file patterns such as .env from static serving.
  4. Add automated scanning for accidental secret exposure in deployments.