82.196.12.132:12999
Opening this in the browser
We are presented with this page with nothing particular of interest.
After trying a couple of things I started bruteforcing endpoints.
Found /source containing the source code of the node app.
The endpoint /open takes the post parameter document_name and append it to
http://localhost:9000/documents/ + document_name
Opening this in the browser
We are presented with this page with nothing particular of interest.
After trying a couple of things I started bruteforcing endpoints.
Found /source containing the source code of the node app.
const express = require("express"); const config = require("./configs"); const body_parser = require('body-parser'); const http = require('http') const public_s = express(); const private_s = express(); const normalizeUrl = require('normalize-url'); public_s.use(body_parser.urlencoded({ extended: true })); public_s.get('/', function (request, result) { result.setHeader('GET', 'source') result.send("Hi, I'm a baby ssrf :)") result.end() }) public_s.get('/source', function(req, res) { res.sendFile(__filename) }) public_s.use(function (req, res, next) { var err = null; try { decodeURIComponent(req.path) } catch (e) { err = e; } if (err) { res.sendStatus(400).end() } next(); }); public_s.post('/open/', (request, result) => { document_name = request.body.document_name if (document_name === undefined) { result.end('bad') } console.log('http://localhost:9000/documents/' + document_name) if (document_name.indexOf('.') >= 0 || document_name.indexOf("2e") >= 0 || document_name.indexOf("┮") >= 0 || document_name.indexOf("E") >= 0 || document_name.indexOf("N") >= 0) { result.end('Please get your banana and leave!') } else { try { var go_url = normalizeUrl('http://localhost:9000/documents/' + document_name) } catch { var go_url = 'http://localhost:9000/documents/banana' } http.get(go_url, function (res) { res.setEncoding('utf8'); if (res.statusCode == 200) { res.on('data', function (chunk) { result.send(chunk) result.end() }); } else { result.end('Oops') } }).on('error', function (e) { console.log("Got error: " + e.message); }); } }) public_s.listen(8000) private_s.listen(9000) private_s.get('/documents/banana', function (request, result) { result.send("Here is your banana :D") result.end() }) private_s.get('/flag', function (request, result) { result.send(config.flag) result.end() })
The endpoint /open takes the post parameter document_name and append it to
http://localhost:9000/documents/ + document_name
To access /flag we need to go up a directory but the common symbols . and %2e are blocked.Even unicode bypasses were blocked.
After struggling to find a bypass for an hour it just hit my mind -
document_name.indexOf("2e") >= 0 ||
This is not case sensitive, 2e is blocked 2E isn't 🤦🤦🤦🤦
Took way more time than it should have
Win Big With the Best Casino Games in California - JTGHub
ReplyDeletePlay the best 양주 출장안마 casino games in CA. Win Big Online Games Today! The best 양산 출장샵 online 울산광역 출장마사지 casino for slots, table 바카라 games, blackjack, roulette 군산 출장안마 & more.