rosehacks@pwny$ cat armaxis.txt This was a "very easy" web challenge that I managed to solve during the HTB Univeristy CTF. It starts with exploiting a password reset feature that has some broken logic that allows us to reset the password for the admin by intercepting the request and changing out email. From there, we are able to make use of a command injection vulnerability and simply use curl to send the flag to a webhook. The actual path involves using the command injection to include the contantes of local file in markdown img tags. The file contents gets base64 encoded and stored on the admin's home page.
Account Creation
We have the ability to create accounts, so that was the first thing I did.
User -> Admin
When we first get the application, we have a few options available to us. We can login, register ot reset passwords.
Since we dont have an account yet, I went ahead and created one for testing.
After logging in, there didnt seem to be much we could do from a user standpoint. I did notice some other endpoint from the code, but we weren't authorized to hit them. So, I figured we needed to escalate our privs somehow.
Since we do get access to an email client, it seems obvious we need to exploit the password reset in some way
Testing out the password reset, it seems interesting that it gives us the prompt directly after entering our email.
I put the code sent to the email and the new password where prompted. I then intercepted the request and noticed a hidden parameter, "email". Interesting!
Looking back at the code, I found an email for the adminitrator:
Replacing my email with the admins, I was able to successfully reset their password and login.
Command Injection
From there, we get something new to poke at, the weapons dispatch:
This was the first way I solved this one.