BugPoc / Amazon — Doggo CTF
Another great CTF organized by BugPoc and @NahamSec.
The goal of the challenge was to retrieve the SECRET_API_KEY variable which sits somewhere on the server. It was mentioned also as “Find the memory leak” challenge.
First things first, viewing the source code of the page shows us there is a single JS script loaded.
Opening the script gives us a few interesting insights:
What we got:
- An API endpoint
- Two URL paths
- Some interesting parameters passed to one of the GET requests
Let’s fire up Burp.
The encoded string confirmed to be a Fernet token and we shouldn’t be spending too much time decoding since there are no known attacks as of today.
If we try the /dogs endpoint directly from the browser we are getting a 401.
Let’s continue with the second endpoint we found in the JS script.
Interesting. Another encrypted token gets generated. It also looks like a Fernet token so let’s look if it can be decrypted by the /get-dogs function.
That looks good. It means we can control the “path” value within the JSON object just by changing our User-Agent header.
On the above we added the URL-encoded path of /../dogs?page=1000&p= in our User-Agent header and got a new token generated. This attempt is for doing a traversal in the URL path as follows:
https://doggo-api.buggywebsite.com/xxxxxx/../dogs?page=1000&p=xxxxxx
We should expect the URL to transform to the one below:
https://doggo-api.buggywebsite.com/dogs?page=1000&p=xxx
This worked very well. We managed to access the restricted endpoint with our provided parameters. Unfortunately we could not could not further exploit this path because the provided “page” parameter is passed through an int() conversion and there is proper exception handling in place.
Let’s run our good old Dirbuster and see if something else pops up.
Another 401 endpoint. Let’s have a look.
And that was it!
Creating the HTTP PoCs in the BugPoc tool:
This was a cool one, thanks to everyone involved!
Don’t forget to follow me on Twitter.