โHackMD
Wiki world - web
Description
Can you alpha test out our newest note-taking website? (If you find anything, please report it to us using nc cha.hackpack.club 8702)
Also unrelatedly, our website admin is really fond of the wiki-world extension, he uses it all the time, even on his work computer.
I should probably get him to stop using it tho, it hasn't been approved by IT yet.
Author: Sohom (Sodium#8285)
NOTE: we recommend you try to develop a exploit locally using the provided source code before attempting the exploit on the challenge servers. Feel free to contact the admins if you have a exploit that works locally, but not on the challenge servers.
Exploit
For this challenge, we have provided the source code, which can be downloaded at the following link:
The source code for the challenge reveals that the admin bot utilizes a custom web browser extension.
After reviewing the extension's source code above as shown in image above, we discovered that it retrieves its configuration from the window object. This vulnerability can be exploited using a technique called DOM clobbering, which is described in detail at the following URL:
By utilizing this technique, we were able to change the value of window.config and manipulate the behavior of the extension.
The following payload can be used to exploit this vulnerability:
This payload modifies the values of config.WIKI_REGEX and config.WIKIPEDIA_SERVER to match the flag and send it to the attacker's server.
Next, we return to the challenge web page and copy the payload into the text area, as shown in the image below:
We retrieve the URL and paste it into the bot server as shown in the following image:
After that, we can see the flag in our webhook server:
title: 'pully | Writeup'
pully - web
Description
Do you like open-source and want to work on it? Please check out our new project and contribute to it: https://github.com/hackpackctf/pully
Author: Igibek
Discord: kigibek
Recon
We are given a GitHub repository with a GitHub action workflow. We can fork the repository and trigger the GitHub action by pulling the forked repository.
In the following build, we can see that the workflow will echo the flag, but it might not be the real flag because the workflow on the server could be different from the GitHub repository. At the bottom of the image, we can see that it uses the npm test command. We can gain RCE by uploading a test that contains a reverse shell.
Exploit
To exploit this challenge, we need to gain RCE by uploading a test containing a reverse shell, and then find the flag in the directories "/home/runner/work/*".
First, we fork the GitHub repository.
Then, we modify our fork to execute RCE.
After that, we pull our forked repository to the main repository.
Now we have a reverse shell from the server.
Now we need to execute the grep command to search for the keyword 'flag' recursively in directories. The grep command is a Unix tool used for searching through text or files for specific patterns. In this case, we are searching for the pattern 'flag' in directories. The output of the grep command contains the flag, which is shown in the image below.
