web

Apollo 1337

Solved By : Nigamelastic and thewhiteh4t

• https://space.sdc.tf/

• On view the page source we find something interesting:

<script id="__NEXT_DATA__" type="application/json">
    {
        "props": {"pageProps":{}},
        "page":"/",
        "query":{},
        "buildId":"QQvgkUHNyaIn68Led0yAi",
        "nextExport":true,
        "autoExport":true,
        "isFallback":false
    }
</script>

• on performing a GET request with :

{
    "GET":{
        "scheme":"https",
        "host":"space.sdc.tf",
        "filename":"/api/status",
        "remote":{
            "Address":"172.67.178.219:443"
        }
    }
}

• we get a response

{
    "status":"health",
    "longStatus":"Healthy. All routes are functioning properly.",
    "version":"1.0.0"
}

• only playing around i see three endpoints

{
    "status":"health",
    "longStatus":"Healthy. All routes are functioning properly.",
    "version":"1.0.0",
    "routes":[
        {
            "path":"/status",
            "status":"healthy"
        },
        {
            "path":"/rocketLaunch",
            "status":"healthy"
        },
        {
            "path":"/fuel",
            "status":"healthy"
        }
    ]
}

• hitting the /fuel endpoint we get

[
    {
        "name":"west1 pump",
        "id":0
    },
    {
        "name":"east1 pump",
        "id":1
    },
    {
        "name":"south1 pump",
        "id":2
    },
    {
        "name":"north1 pump",
        "id":3
    },
    {
        "name":"west2 pump",
        "id":4
    },
    {
        "name":"lil pump",
        "id":5
    }
]

• hitting /rocketLaunch with a simple GET request

request body must be json

• But since we have to launch the rocket we can assume that we need to POST something to the endpoint
• One of the first few things that come to mind is the launch keyword
• we know that endpoint expects a JSON body
• we first sent :

{
    "launch":true
}

• we get the above response, lets specify a random rocket name since we dont know the rocket name

• endpoint tell us that triton is available

• now we need a launch time but we don’t know what format it expects so we tried to make it tell us again

• after sending time in correct format we get this

• we can get a list of pumps and their IDs from /fuel endpoint

• interesting, now it wants a token, so we looked into the page source, we did not find anything so we started looking into the JS files of the web app and we found the token

• after sending the token we get our flag!

---

GETS Request

Solved By : thewhiteh4t

• The challenge hints at memory issues
• we can enter an integer and the web app sends a reply
• there are few checks which the web app makes:

if(!req.query.n) {
    res.status(400).send('Missing required parameter n');
    return;
}

• so n cannot be blank

const BUFFER_SIZE = 8;

if(req.query.n.length > BUFFER_SIZE) {
    res.status(400).send('Requested n too large!');
    return;
}

• so max length of n can be 8
• the web app does not check for duplicate parameters, so we can send another n along with the first

---

Git Good

Solved By : thewhiteh4t

• Robots reveal an admin page and .git directory

• I used a very useful tool which helps to dump file contents of websites which use GIT version control system

• https://github.com/internetwache/GitTools

• .git directory dumped :

• now we can use extractor to get files from the dump

• I found 2 users.db files, both are sqlite3 databases
• one contains bcrypt hashes and other one contains md5 hashes
• I cracked md5 hashes first because they take less time

• one valid credential found :

aaron@cgau.sdc.tf : weakpassword

• login on admin.html and we get the flag