Featured image of post Hack_the_boo2023
ctf writeups

Hack_the_boo2023

Hackthebox - Hack the boo 2023 writeup

HauntMart

Category: web Rating: Easy

This challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.

To get the flag we have to login as admin.

The is a /addAdmin route but it only accepts requests from localhost

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


@api.route('/addAdmin', methods=['GET'])
@isFromLocalhost
def addAdmin():
    username = request.args.get('username')
    
    if not username:
        return response('Invalid username'), 400
    
    result = makeUserAdmin(username)

    if result:
        return response('User updated!')
    return response('Invalid username'), 400

I Tries using X-Forwarded-For headers but it didnt work.

If you look closer at the code there is a function to send a request to fetch the manual from a url.

This vulnerability is called ssrf (server side request forgery) check more »> here

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


def downloadManual(url):
    safeUrl = isSafeUrl(url)
    if safeUrl:
        try:
            local_filename = url.split("/")[-1]
            r = requests.get(url)
            
            with open(f"/opt/manualFiles/{local_filename}", "wb") as f:
                for chunk in r.iter_content(chunk_size=1024):
                    if chunk:
                        f.write(chunk)
            return True
        except:
            return False
    
    return False

There is also a poor attempt of a filter for the url

1
2
3
4
5
6
7
8
9


blocked_host = ["127.0.0.1", "localhost", "0.0.0.0"]

def isSafeUrl(url):
    for hosts in blocked_host:
        if hosts in url:
            return False
    
    return True

We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out »> here

For me this one worked:

NOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin

1
2


http://127.0.1.3:1337/api/addAdmin?username=test

We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}

flag

Licensed under CC BY-NC-SA 4.0
© 2023 - 2024 f0rk3b0mb
Built with Hugo
Theme Stack designed by Jimmy