This challenge is require us to bypass the type juggling and sanitization.
The challenge gave a link to the webapp that show the source code of the
app but in this writeup I will host the challenge by myself.
Let’s take a look at the code to identify which vulnerabilities that we can trigger.
These sections quite interesting.
Let me explain what’s going on in these 2 sections. The first image
shows the code will retrieve the input using php://input and decode it
using json_decode.
In the second section, the code try to check the input username and password with the renadom generated username and password. So, logically we can’t really know what’s the real password and username.
But, the checking is using == instead ===. So it will not really chec
the datatype when the code try to compare from both variable. So, we can
try to bypass it using type juggling when hit the web using POST method.
Let’s try use this payload:
{
"username" : true, "password" : true, "file" : "/flag.txt"
}
Dang! We bypassed the juggling but the code block our file to read the
/flag.txt as forbidden pattern. Let’s take a look on how the block it.
There is a list of forbidden input and every multiple dots(.) will be
replaced into single dot(.) and double / will be replaced into img/
Hurmm quite annoying but we can be more annoying to the code ;)
Let’s try use this payload:
{
"username" : true, "password" : true, "file" : "/img/flag.txt"
}
This payload logically will be able to extract the flag.txt in the /
directory.
BOOM! Flag captured!