Simple web challenge. Application was built with React framework, and contained reporting functionality:
fetch("/api/report", {
method: "POST",
body: JSON.stringify({ hash: x }),
headers: {
"Content-Type": "application/json"
}
We got file with sequence recorded from /dev/input/event* file. It's easy to replay events from file using following command
# sleep 3; cat event0 > /dev/input/by-path/platform-i8042-serio-0-event-kbd
After that switch to another terminal window or text editor and we will se following commands
vim key.txt
32ix^[o^[5if ^[Icde^[A653^[BBi3333^[BBicdef87236363^[llr2elr20elxlxlxhi3^[A64^[kdd:wq
Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:
It's also possible to make victim browser trigger a click on injected element
if(location.hash.slice(1) == 'report'){
document.getElementById('report-btn').click();
There was 2 security issues in application:
The problem is in max_allowed_packet option in my.cnf. Mysql will discard all packets larger than value of this option. So it's possible to bypass WAF using big payload in first argument sent to server.
The vulnerability is described here: https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability.
import sys
import io
import re
import requests
import pytesseract