[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy
It was a nice CTF, I got 2nd place with my guys:
A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place).
Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start.
Note: there is no source code in the challenge attachment, I requested it from the author (@serWazito0) thanks to him, challenges files ( ASCWG_2024_CTF ).
Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE.
From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access this one.
My first try is to send a call to the application in the request path
GET http://app1/secret HTTP/1.1
and it works and I got an error "Error fetching the URL."
in the CTF we got an announcement about brute forcing so if we brute force the ports for this app we can get a different response with port (9001) and we have a source code know
after reviewing the code we found that:
- There is a SQL injection and the DB is SQLite3.
- There is a filter we have to bypass, function "contains_blacklist".
- The execution of the SQL command happens in the SQLite shell prompt itself in func "cursors_execute".
so how can we use the SQL injection in SQLite3 to gain RCE and read the flag?
after asking Google we end up with this screenshot
after trying it we faced an issue did not notice (maybe it was 2 minutes before the CTF end - focus was low) but we got another hint that we were in a shell, so what do we do when writing a line in the shell? yes ENTER but how we can do it now?
GET http://app1:9001/?username=flex';%0a.shell+cat+flag*%0a;select+' HTTP/1.1
Comments
Post a Comment