SANS Offensive CTF – Taskist:: 01–04

WriteUp 1个月前 admin
23 0 0
SANS Offensive CTF - Taskist:: 01–04

Summary: 概括:

This Write Up outlines several vulnerabilities discovered within the application, including IDOR (Insecure Direct Object Reference), privilege escalationSSRF (Server-Side Request Forgery), and unauthorized file access issues.
本文概述了应用程序中发现的多个漏洞,包括 IDOR(不安全的直接对象引用)、权限升级、SSRF(服务器端请求伪造)和未经授权的文件访问问题。

SANS Offensive CTF - Taskist:: 01–04

Taskist::01- IDOR Vulnerability in “/api/tasks/<ID>”
Taskist::01-“/api/tasks/<ID>”中的 IDOR 漏洞

Description: The application has an Insecure Direct Object Reference vulnerability in the /api/tasks/64 endpoint, allowing unauthorized access to admin’s tasks information.
描述:该应用程序在 /api/tasks/64 端点中存在不安全的直接对象引用漏洞,允许未经授权访问管理员的任务信息。

Impact: Admin notes containing confidential information, including the flag, are exposed to unauthorized users.

Recommendation: Implement proper access controls and authorization mechanisms to restrict access to sensitive data based on user roles and permissions.

POC: 概念验证:

1. Now after logging into the application you can see the source code (ctrl + u), observe the endpoints/paths.
1.现在登录应用程序后,您可以看到源代码(ctrl + u),观察端点/路径。

2. After observing you can find the only endpoint which is potential to IDOR. Sending the request to Intruder along with the first 100 numbers as payloads and start the attack.
2.观察后可以找到唯一可能发生IDOR的终点。将请求连同前 100 个数字作为有效负载发送给 Intruder 并开始攻击。

SANS Offensive CTF - Taskist:: 01–04
Intruder 入侵者
SANS Offensive CTF - Taskist:: 01–04
flag-1 标志-1

Taskist::02: Privilege Escalation via Update Password Feature

Description: The application allows changing the user_id parameter to an admin user’s user_id during the update password feature, leading to unauthorized privilege escalation.
描述:该应用程序允许在更新密码功能期间将 user_id 参数更改为管理员用户的 user_id,从而导致未经授权的权限提升。

Impact: Unauthorized users can change the admin’s password, compromising the admin account’s security.

Recommendation: Implement strict validation checks to ensure that only authorized users can update passwords, and enforce proper authentication mechanisms to prevent privilege escalation attacks.

POC: 概念验证:

  1. Navigate to Password Reset Functionality, Intercept the request and observe that “user_id” is being passed. Change the “user_id” value to admin’s user_id
SANS Offensive CTF - Taskist:: 01–04
SANS Offensive CTF - Taskist:: 01–04
admin-password 管理员密码
SANS Offensive CTF - Taskist:: 01–04
Flag-2 旗帜-2

Taskist::03: SSRF Vulnerability leads to Unauthorized File Read Access
Taskist::03:SSRF 漏洞导致未经授权的文件读取访问

Description: By exploiting a vulnerability in the application’s handling of the proc/self/environ path. The main code ususally lies within app.js.
描述:利用应用程序处理 proc/self/environ 路径时的漏洞。主要代码通常位于 app.js 中。

SANS Offensive CTF - Taskist:: 01–04

You can see an attacker can gain unauthorized access to sensitive files, such as /app/index.js.

SANS Offensive CTF - Taskist:: 01–04
flag-3 标志-3

Impact: Attackers can read sensitive application files containing configuration details or other critical information.

Recommendation: Implement proper input validation and sanitization to prevent directory traversal attacks, and restrict access to sensitive files to authorized users only.

POC: 概念验证:

1. After logging in as an admin, we can observe that there are `site configuration` settings along with import and export features. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04

2. Now by analyzing the source code of `site_config.js`, we can observe that the import feature is validating to variables not to be as ‘undefined’. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04

3. Now after exploring the export functionality we are able to download `site-config.json`. When we look at the variables of the json file, the validating variables of import feature and export json file are the same for the first 2 variables. Here we can conclude that the vulnerability should be exploited over here. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04

4. By Uploading the dummy file and intercepting the request, replace the url with burp collaborator. We got a hit!, SSRF Confirmed. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04

5. We should look for sensitive information files which disclose the endpoints of the server function. By analyzing the tasks list in the admin dashboard we can say that 2 out 3 are pending. A Hint to the “/app” directory, which is not accomplished by admin. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04

6. Brute forcing with common LFI Payloads!??no, we should look for sensitive endpoints, some of sensitive endpoints are “/proc/*/*”. 重试  错误原因

SANS Offensive CTF - Taskist:: 01–04
SANS Offensive CTF - Taskist:: 01–04
SANS Offensive CTF - Taskist:: 01–04
flag — 3 标志 — 3

Taskist::04: SSRF Vulnerability leads to chaining access to the root directory.
Taskist::04:SSRF 漏洞导致对根目录的链接访问。

Description: The application’s file upload functionality is vulnerable to Server-Side Request Forgery (SSRF), allowing attackers to initiate requests to arbitrary URLs, including local files such as file:///.
描述:该应用程序的文件上传功能容易受到服务器端请求伪造(SSRF)的攻击,允许攻击者向任意 URL 发起请求,包括“file:///”等本地文件。

Impact: Attackers can exploit this vulnerability to read sensitive files on the server, such as /root/flag.txt, leading to unauthorized disclosure of sensitive information.

Recommendation: Implement strict input validation and filtering mechanisms to prevent SSRF attacks, and restrict file upload functionality to trusted sources only.
建议:实施严格的输入验证和过滤机制以防止 SSRF 攻击,并将文件上传功能仅限于可信来源。

Note: The Taskist-4 should have been deployed at the user level to gain chain further to get flag{} at root level. Maybe it’s not a bug but a Feature Who Knows what kind of rabbit hole it might be misleading us with other things.
注意:Taskist-4 应部署在用户级别,以进一步获得链以在根级别获取 flag{}。也许这不是一个错误,而是一个功能,谁知道它可能会用其他东西误导我们什么样的兔子洞。

POC: (unintentional solution, by directly reading the root flag)

1. Send a Request to “file:///etc/*” to know whether we are able to access the root files, after conclusion we are able to access the root directory files. Send request for “file:///root/flag.txt”
1. 向“file:///etc/*”发送请求,了解是否能够访问根目录文件,结束后就可以访问根目录文件了。发送“file:///root/flag.txt”的请求

SANS Offensive CTF - Taskist:: 01–04
flag-4 标志-4
SANS Offensive CTF - Taskist:: 01–04
Unintentional soltuion — Admin
无意的解决方案 — 管理员

Authors: 0xPbdaniel1895

Thanks for reading!!! 谢谢阅读!!!

原文始发于Prasanth Bodepu:SANS Offensive CTF – Taskist:: 01–04

版权声明:admin 发表于 2024年3月7日 上午10:58。
转载请注明:SANS Offensive CTF – Taskist:: 01–04 | CTF导航