I really like to play CTFs (hacking games), because I always learn something new. But sometimes it's also fun to create a challenge yourself. A couple of days ago a nice NodeJS issue surfaced on my twitter feed and because I didn't have a lot of experience with NodeJS, I thought it would be a cool idea to learn more about it, by creating a challenge around it.

At the time of writing this blog post, I still host the challenge on a disposable VM at http://46.101.185.27:3000/. The source code is available for download here. This website has a restricted area /admin that requires a password to login.

The goal is to successfully gain access to the restricted area and find the secret_password . The source code contains a dummy password and keys, which are obviously different on the actual challenge server. But they are easy identifiable because they follow the same format ALLES{...} . So you know when you got it.

If you stumble across this post at some point in the future and my VM is probably not running anymore, you can just host it locally. Make sure you have NodeJS and npm installed. In case something changes in the future, I am running following versions:

$ cd nodejs_chall $ node -v v4.2.4 $ npm -v 2.14.12 $ npm install # install dependencies $ npm start # start server on http://127.0.0.1:3000

If you want to give it a try yourself, you should stop reading now!

If you already tried everything (ALLES!), but you couldn't find the issue, read the follow up article.