I participated in this CTF competition with Heroes Cyber Security (HCS), the cybersecurity community team from Institut Teknologi Sepuluh Nopember (ITS).
This write-up covers all Website Exploitation challenges. All of the challenges were tackled using black-box testing methods only, without any source code access or internal hints.
We managed to secure 2nd place out of 1322 teams.
Special thanks to @HyggeHacylon and @rootkids, who participated with me.
Also, thanks to Hack The Box for organizing this event.
Jinjacare is a web application designed to help citizens manage and access their COVID-19 vaccination records. The platform allows users to store their vaccination history and generate digital certificates. They've asked you to hunt for any potential security issues in their application and retrieve the flag stored in their site.
Jinja SSTI to RCE.
We've got a website, that we could do a register.
After that, we tried to input some test payload {{7*7}}
one the fullname column.
Check at our dashboard, there a feature to download the certificate.
Download the certificate, then we could see the payload is working that the fullname is changed to 49
.
Then we use this payload to listing the directory.
We see the flag, and get it.
Neovault is a trusted banking application that allows users to effortlessly transfer funds to one another and conveniently download their transaction history. We invite you to explore the application for any potential vulnerabilities and uncover the flag hidden within its depths.
IDOR.
We need to register to see the API endpoint.
After that, you will notice we've got a transfer transaction from user neo_system
.
By using this API endpoint, we could get the _id
.
Then, i found the v1 endpoint for downloading transactions history like this.
We use the _id
of neo_system
user to download the transactions history.
And we've got the history there a user named user_with_flag
.
By using the /api/v2/auth/inquire?username=
endpoint, we've could obtain the _id
of user user_with_flag
Then create this request, to obtain the user_with_flag
transactions history.
Citismart is an innovative Smart City monitoring platform aimed at detecting anomalies in public sector operations. We invite you to explore the application for any potential vulnerabilities and uncover the hidden flag within its depths.
Hidden endpoint to SSRF.
We've got a login page of the website.
After that, we do some inspect on the javascript file.
We make a request at the endpoint.
But we've got a response like this.
Which is we need to do login, to execute those endpoints.
The unique case is, there some broken authentication likely that even our password is wrong but username contains admin email, we still get the JWT Token.
At the /api/dashboard/endpoints/
, we see there are like 4 endpoints.
After that we do some little scanning and found there CouchDB service at port 5984
.
We make a request like this.
Then visit the /api/dashboard/metrics/
to see the flag.
Speednet is an Internet Service Provider platform that enables users to purchase internet services. We invite you to participate in our bug bounty program to identify any potential vulnerabilities within the application and retrieve the flag hidden on the site. For your testing, we have provided additional email services. Please find the details below:
Email Site:http://IP:PORT/emails/
Email Address: test@email.htb
Graphql aliases abuse lead to account takeover.
We've given the endpoints of emails.
We tried to register the account with email test@email.htb
.
Then we do some query inspection at the graphql endpoint.
We've got some interesting mutation that named devForgotPassword
.
Next, we do some little IDOR to leak the admin email for reset password.
The admin email is obtained admin@speednet.htb
.
We do reset password on the admin account.
Got the reset token.
Changed the password to hacked
.
We do login, but unfortunate got the OTP verification.
After stuck long time, i tried to activate the OTP on the test@email.htb
account, and there are 4 digits which is possible to brute.
But the bad news is, we can't brute it because there are rate limitting request on the website.
We got stuck again :joy:
Then we look the reference, there are graphql alias query
https://inigo.io/blog/defeating_controls_with_alias-based_query_batching
That it's possible to brute it, by alias batching on the graphql endpoint.
Next, we request to send the OTP.
We build a automation script like this, that there will batching from 1-499, 500-999, and goes on.
We've got the correct OTP.
Login as admin with the token.
Welcome to the Sattrack Bug Bounty Invitational for Authorized Users! Sattrack is a premier platform dedicated to monitoring satellite data, exclusively available to our selected authorized partners. We invite you to participate in our limited bug bounty program, aimed at identifying and addressing any security vulnerabilities within our application. Your contributions are invaluable in helping us maintain the integrity and security of our services.
You may use partner@rockyou.xyz:partn3r123 as a valid credentials.
To ensure optimal site performance, we have established a dedicated support page at /report. Here, you can submit the URLs of any issues (non-security related) you encounter, and our admin team will promptly investigate and provide assistance.
Prototype Pollution XSS by JSON Escaping.
We've got the partner account, and we tried login.
The interesting is we got the /partner/share
endpoint that's likely exploitable since the reference is JSON Escaping.
We even got the admin bot, so we sure this are some XSS challenge.
Error message at the login is the key to do prototype pollution and using the /partner/share
endpoint.
By making this payload.
The alert is fired :fire: .
Send the url payload like this to admin bot.
Got the admin token.
Login with admin account.