Blackhat - Saudi <Web> iFrame
https://cdn.discordapp.com/attachments/1013468109765619774/1311620022417883187/challenge-files-cfd101c8-3c00-4287-b7fb-9aa6bb9197bd.zip?ex=674ad656&is=674984d6&hm=3078bb6d31dc1a97711cf0e46ee35dd06ea26
Last updated
https://cdn.discordapp.com/attachments/1013468109765619774/1311620022417883187/challenge-files-cfd101c8-3c00-4287-b7fb-9aa6bb9197bd.zip?ex=674ad656&is=674984d6&hm=3078bb6d31dc1a97711cf0e46ee35dd06ea26
Last updated
After unziping the compressed file below what will you get
well we know now the flag can be obtained by that C file which is should be compiled to executable
as we can see run.sh will compile the flag.c using gcc and put it in root of machine "/"
Dockerfile will do all the necessary steps to build the machine and at the end it will execute the run script for the flag ,so currently we have a clue that we need RCE to get the flag.
now we have a task to find the RCE to get that flag ,so we do some source code review trying to find any possible way to get RCE ,and i found that in the package.json file which it uses happy-dom library vulnerable version
googling that library for a cve will give you tons of results for a new CVE 2024
to apply this to our current CTF scenario require a bit modifications to suite how the request are being handled ,reviewing the index.js file :-
clearly the /api/scrape endpoint what is interesting us here .
what we understand that In this POST endpoint, the data is sent in JSON format. The key used to send the HTML content is html. The value of this key should be a string that contains the HTML of a webpage. the html key contain the entire HTML content of the page which it should include , tags then meta tag has name & content ,tag is specifically needed to extract the description .
example of executing valid and wrong post data request as per the code with the help of chatgpt he can give you example accepted html code to be passed as a key value.
we can inject our payload in the body tag i tried to just execute single command which is "ps"
as you can see 1- which is the payload we execute reflecting in the server debugger , 2- we can observe and monitor the command being execute in the system processes.
thats mean our RCE is successfully executed ,lets try to create a new file in /tmp folder
as we can see the server receiving the request and encode it to URL ,then pass it to system trying to execute it ,but you cant execute commands containing url encode ,we can use IFS as input field Seperator that could be handled well by the shell ,read below for more information about IFS.
now we replace the space with $IFS
now time to exfiltrate the data via the command injection ,but we are doing that blindly ,so first lets find the correct command piping it via sleep time to confirm the correct letter of each offset
combining these commands and big thanks to my collogue @Zeenbleed creating this script to exfiltrate data
