Protection of the admin section needs to be more robust...
Writeup
There is an api to fetch other url: http://192.46.237.106:3000/api/getUrl?url=http://example.com, I tried with some random ip and this one result in error: http://192.46.237.106:3000/api/getUrl?url=http://127.0.0.1
Then I tried to send request to proxy.corp.local but found nothing, stuck here for a while. A few moments later, I noticed the package name and the version in the response so I tired to google axios 0.21.0 vuln.
I tried few ip and domain but found nothing, stuck again. Later on, I went back and checked the chall description again: Protection of the admin section needs to be more robust....
So I tried: http://127.0.0.1/admin and to my surprise, I got access to admin page:
<html>
<head>
<title>System information</title>
</head>
<body>
<h2>Get OS Information</h2>
<button onclick="retrieveOSInfo();false;">Retrieve</button>
<h2>Get service info</h2>
<input type="text" id="serviceName" value="nginx">
<button onclick="retrieveServiceInfo();false;">Retrieve</button>
<h2>Output</h2>
<textarea id="output"></textarea>
</body>
<script>
function retrieveOSInfo() {
fetch('/api/admin/os_info')
.then(response => {
if (response.status == 200) {
return response.json();
}
throw Error('Server is unavailable');
},
failResponse => {
printOutput('Server is unavailable');
})
.then(result => {
printApiResult(result);
},
errorMsg => {
printOutput(errorMsg);
});
}
function retrieveServiceInfo() {
fetch('/api/admin/service_info?name=' + encodeURIComponent(serviceName.value))
.then(response => {
if (response.status == 200) {
return response.json();
}
throw Error('Server is unavailable');
},
failResponse => {
printOutput('Server is unavailable');
})
.then(result => {
printApiResult(result[0]);
},
errorMsg => {
printOutput(errorMsg);
});
}
function printApiResult(jsonObject) {
result = '';
for (const [key, value] of Object.entries(jsonObject)) {
result += `${key}: ${value}\n`;
}
printOutput(result);
}
function printOutput(content) {
output.value = content;
}
</script>
</html>
There are two hidden api endpoints, I tried both and here is the response for the service one:
Unicorn Networks
Description
Protection of the admin section needs to be more robust...
Writeup
There is an api to fetch other url:
http://192.46.237.106:3000/api/getUrl?url=http://example.com
, I tried with some random ip and this one result in error:http://192.46.237.106:3000/api/getUrl?url=http://127.0.0.1
Then I tried to send request to
proxy.corp.local
but found nothing, stuck here for a while. A few moments later, I noticed the package name and the version in the response so I tired to googleaxios 0.21.0 vuln
.Look what I found: Requests that follow a redirect are not passing via the proxy #3369
There is a SSRF vuln in this version so I created a simple proxy server:
I tried few ip and domain but found nothing, stuck again. Later on, I went back and checked the chall description again:
Protection of the admin section needs to be more robust...
.So I tried:
http://127.0.0.1/admin
and to my surprise, I got access to admin page:There are two hidden api endpoints, I tried both and here is the response for the service one:
I googled the keyword:
running":true,"startmode":"","pids"
and realized that it's from a package called systeminformationLet's do another round of search,
systeminformation vulnerability
. I found these two links:The POC is quite useful, we can do command injection via
name[]=$(ls)
But I don't know how to do reverse shell so I use another way, maybe stupid but works: https://stackoverflow.com/questions/15912924/how-to-send-file-contents-as-body-entity-using-curl
Got the flag in the end.