The Wax-Circle Reclaimed

Personal Rating: Medium

This web challenge again featured a web page with a guest login.

Logging in, you can see a simple analysis tool and also a banner that indicates missing permissions:

While the Access Denied banner indicates the permissions we should likely aim for, the analysis tool screamed "SSRF". We could call localhost, but with the output, I also suspected a potential command injection, since curl might be used in the background.

I turned back to the relevant section in the code of the website to spot what might be the vulnerability here. This part in server.js looked interesting:

I inspected the JWT token in the browser, but it contained a signing string, so I could not just change the role in my cookie.

Back in the code, I found the part where the flag is shown.

Earlier in the code, a password is leaked.

To be honest, I did not expect this to work at first, but I just tried to put the database URL in the analysis tool. To my surprise, the database was accessible. On second thought, this makes sense, since the couchdb connection string is a http address and already contains the required credentials.

I googled how to interact with the database and could quickly enumerate it to find the flag.

CouchDB - Creating a Databasewww.tutorialspoint.com

I used this to get the password for all users. Logging in with elin_croft, the flag was shown.

PreviousThe Bone Orchard NextThe Woven Lights of Langmere

Last updated 1 day ago