Description

Il y a un bot sur discord et vous n’avez pas encore de RCE dessus ? Quelle honte…

Le périmètre du challenge est le bot “MilSec Utils” disponible sur le serveur Discord, ne conduisez pas d’attaque hors de celui-ci. Pour la sécurité du challenge, nous avons restreint l’accès au fichier .env du bot. Si vous trouvez un moyen d’y accéder, merci de le signaler aux administrateurs ;)

Pour cette première partie, récupérez le flag est contenu dans le fichier /flag1.txt

Analysis

Overview

A bot is available on the event’s discord server. It provides some commands: Commands

The first part goal is to read the /flag1.txt file from the bot.

The most interesting command for this first part is the /archive. It takes a URL as a parameter and generates a PDF from the page.

File read through case-sensitive check bypass

The interesing fact is that to generate the PDFs, the bot relies on a browser. This means that if we can provide a URL starting with the file:// scheme, we could access all the files of the system.

However, there is a minimal filter applied on what the user supplies. If the provided URL is something like file:///etc/passwd for example, the bot rejects it for security reasons:

Reject message

After some tests, we can observe that the check is case-sensitive. Sending a URL like filE:///etc/passwd bypasses the check and will be normalized by the browser to file:///etc/passwd, allowing to read the /etc/passwd of the bot.

PDF returned Passwd file content

Exploitation

Since we have the bypass, we can now use it to read the entire filesystem of the bot (limited by what the node process user can access).

File list of the root

To validate this first part, we can just read the /flag1.txt file, as asked in the challenge description.

Flag

Flag

1interiut{n4h_C4nT_B3lieVE_Yr_ChEcks_4re_C4s3_5enSiTiV3}