Uploaded by team hacker

RTFM Hackerone CTF Writeup

advertisement
RTFM Hackerone CTF Writeup
1 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
Published on December 14, 2021
Updated on January 14, 2022
Wordlists will help you find something to do
Let's start with basic fuzzing on the /api/v1 endpoint and check what we got
gobuster dir -w wordlist.txt -u http://35.227.24.107/89092085dd/api/v1
After the fuzzing was completed we found the following endpoints
/config
/secrets
/status
/user
If we send a request to /config we will find out the first flag
2/19/23, 16:00
RTFM Hackerone CTF Writeup
2 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
If a GET doesn’t do anything, try a different HTTP verb
If we send a get request to the user endpoint we will see that in the response it says
X�Token header authentication missing
let's try to include an X�Token in our headers and provide any default value and it says
Invalid Token
On Changing the HTTP method to post it says missing username and password which
shows that the user is a post endpoint and takes to parameters username and
password.
2/19/23, 16:00
RTFM Hackerone CTF Writeup
3 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
On sending the request with username and password we get our flag
Hint Given Maybe you can edit your profile? but what fields can you change?
IN the previous flag we got an endpoint to log in, send a post request to api/v1
/user/login with the username and password and we got a token
2/19/23, 16:00
RTFM Hackerone CTF Writeup
4 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
if we logically think here is means that we can edit for a profile which means a put
request but what can we update so in the previous flag we got a token we will use
that in the x-token header and will send a put request to the user and we got a
response now we need to find out the updatable field
so we will start brute-forcing and we got a different response on avatar it only
accepts a URL
on various tries, I found there is an ssrf so when trying localhost/api/v1/secrets we
2/19/23, 16:00
RTFM Hackerone CTF Writeup
5 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
got a flag
Sometimes developers hide extra features into a page… but how can you
access it?
After almost fuzzing everything I didn't find anything so I went back to parameters I
found I started fuzzing parameters there and by applying to filter I got an endpoint
verbose.
ffuf -u http://34.94.3.143/4f6cd6f1ea/api/v1/status?FUZZ=demo -w
wordlist.txt -fs 1-20 -s
on visiting it I got the flag
2/19/23, 16:00
RTFM Hackerone CTF Writeup
6 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
Have you read the new version of the API's documentation?
After a lot of fuzzing and brute-forcing the api/v2 i found the flag which was in the
swagger.json file
2/19/23, 16:00
RTFM Hackerone CTF Writeup
7 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
How can you use the same session across multiple different instances and versions?
If we send a get request to GET /4466a43d24/api/v2/admin/user-list it gives us the
response Your user level needs to be an admin
then we need admin access to get the list. we will register with user /user?=admin
and we will get a token
after sending the token with a response we got the flag
2/19/23, 16:00
RTFM Hackerone CTF Writeup
8 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
Some features were never quite finished properly in some versions
returning to api/v1 and fuzzing there we got a flag at post/1
Take a close look at the returned headers from all of your endpoints, is there anything
different about one of them? Maybe there's a second server somewhere? Possibly we can
get access to things higher up...
send get request to api/v1/post-analytics/ and you will get a response but when you
do it without the slash api/v1/post-analytics you will get a redirect.
2/19/23, 16:00
RTFM Hackerone CTF Writeup
9 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
Make sure to subscribe to our newsletter and be the first to know the news.
Your email address...
Subscribe
There you can traverse the directory so to escape the / if we set ..\ we see the public
folder and upon ..\private we got the flag.
RTFM Hackerone CTF Writeup
December 14, 2021
#Technology
#Hacking
RTFM Hackerone CTF Writeup
December 14, 2021
RTFM Hackerone CTF Writeup
December 14, 2021
2/19/23, 16:00
RTFM Hackerone CTF Writeup
10 of 10
https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup
Web Development
2
Hacking
0
CTF
1
Bug Bounty
1
Web Security
5
Writeup
0
2/19/23, 16:00
Download
Study collections