📚 h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by finding all subdomains for challenge: https://bountypay.h1ctf.com https://app.bountypay.h1ctf.com https://staff.bountypay.h1ctf.com https://api.bountypay.h1ctf.com https://www.bountypay.h1ctf.com https://software.bountypay.h1ctf.com Fuzzing the subdomains, I found this: https://app.bountypay.h1ctf.com/.git/HEAD Checking /.git/config showed the link to the github repo and an interesting file: https://github.com/bounty-pay-code/request-logger/blob/master/logger.php which referenced the file bp_web_trace.log which could be found here: https://app.bountypay.h1ctf.com/bp_web_trace.log Decoding the contents of that file gave: {"IP":"192.168.1.1","URI":"\/","METHOD":"GET","PARAMS":{"GET":[],"POST":[]}} {"IP":"192.168.1.1","URI":"\/","METHOD":"POST","PARAMS":{"GET":[],"POST":{"username":"brian.oliver","password":"V7h0inzX"}}} {"IP":"192.168.1.1","URI":"\/","METHOD":"POST","PARAMS":{"GET":[],"POST":{"username":"brian.oliver","password":"V7h0inzX","challenge_answer":"bD83Jk27dQ"}}} {"IP":"192.168.1.1","URI":"\/statements","METHOD":"GET","PARAMS":{"GET":{"month":"04","year":"2020"},"POST":[]}} This looked like a server log which included credentials for the user 'brian.oliver', plus a... ...