Objective 8: Broken Tag Generator
Help Noel Boetie fix the Tag Generator in the Wrapping Room. What value is in the environment variable
GREETZ? Talk to Holly Evergreen in the kitchen for help with this.
TL;DR - Answer
If you find a way to execute code blindly, I bet you can redirect to a file then download that file!
We might be able to find the problem if we can get source code!
Once you know the path to the file, we need a way to download it!
Can you figure out the path to the script? It's probably on error pages!
If you're having trouble seeing the code, watch out for the Content-Type! Your browser might be trying to help (badly)!
Is there an endpoint that will print arbitrary files?
I'm sure there's a vulnerability in the source somewhere... surely Jack wouldn't leave their mark?
Remember, the processing happens in the background so you might need to wait a bit after exploiting but before grabbing the output!
To access the tag generator terminal you must be Santa.
Noel Boetie tells us:
Welcome to the Wrapping Room, Santa!
The tag generator is acting up.
I feel like the issue has something to do with weird files being uploaded.
Can you help me figure out what's wrong?
When exploring a web application for vulnerabilities, a good first step is to direct your web browser traffic through a proxy such as Burp Suite to allow you to view and manipulate the underlying requests the browser makes. With our traffic proxied, we upload a file and look at the requests that were made. There are two requests of interest: when we add an image to the web app, our browser makes a POST request to
/upload with the file contents. The application responds with a JSON list of the filenames of the files that were uploaded.
The next request is a GET request to
/image?id=... where the
id parameter is the filename we received from the POST request. If you do not see this request in Burp, you may need to modify your filter settings to show image files.
Let's right-click and send this request to Repeater. We will use Repeater to try and retrieve files that we shouldn't have access to. For example, let's try using a directory traversal string to access
As you can see, this lack of path sanitization has allowed a local file inclusion (LFI) vulnerability. At this point we could use the LFI to retrieve the application source code and look for other vulnerabilities, but that is unnecessary in this case - we merely need to access the environment variables of the app's process to get to the
GREETZ variable. By viewing the man page of
proc we find that the initial environment variables of a given process are in
/proc/[pid]/environ, but we do not know the
pid of the running application. Luckily, the man page also describes a magic symbolic link at
/proc/self. When a process accesses this file, it resolves to the process's own
/proc/[pid] directory. Thus, if we use the LFI to access
/proc/self/environ we will be able to see the environment variables for the web application.