Gold is never old!
http://old-but-gold.ctfz.zone/
Old version of API supported in the POST comment → additional parameter accepted → SSTI → RCE
When entering the application we can see the login / registration froms. Due to some unintended reason it wasn’t available for a large amount of time during the competition. So, maybe the hardest part of the task was to catch it alive and enter the main interface of the application.
When we cope with it we can see the personal page of the user where we can see user information and the ability to post comments on the page, which is shown in Figure 1:
Figure 1: User page
Let’s look into how the requests look like in Burp. It is presented in Figure 2:
Figure 2: Basic requests to the application
If we look through it we will notice requests to api/v2 endpoints. Moreover, there is even more functionality than is presented on the page (e.g. possibility to delete all comments and update user data).
Now, we can come back to the task’s name and suppose that there is something old in the application. We can try to send the request to the older version of the API (api/v1) and find out that it is supported on one of the endpoints. This is shown in Figure 3:
Figure 3: Discovering an older API version
Here, we can see an error message that tells us that we need to provide one more argument. When we try it, we will notice a different response, containing the username we provided which is shown in Figure 4:
Figure 4: Discovering different response
At the same time, we can see a different-looking comment in the UI, but it is not actually needed for solution. This is shown in Figure 5:
Figure 5: Different-looking comment in the UI
As we’ve understood that the server reflects our output, we can make a little fuzzing and find out that it is vulnerable to SSTI. This is shown in Figure 6: