Helpful Desk
In this challenge security bulletin shows 3 versions of the application
v1.2 shows critical status
After downloading both updates we can use
diff
to check which files were updated
diff -bur v1_1 v1_2
┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[ ~/Desktop/CTF/nahamcon2024]
└─ ⚔ diff -bur v1_1 v1_2
Binary files v1_1/HelpfulDesk.dll and v1_2/HelpfulDesk.dll differ
Binary files v1_1/HelpfulDesk.pdb and v1_2/HelpfulDesk.pdb differ
Using Avalonia ILSpy we can decompile the DLL file and inspect different functions
SetupController
contains some interesting code and it shows a URL path
public class SetupController : Controller
{
private readonly string _credsFilePath = "credentials.json";
public IActionResult SetupWizard()
{
//IL_0018: Unknown result type (might be due to invalid IL or missing references)
//IL_001d: Unknown result type (might be due to invalid IL or missing references)
if (File.Exists(_credsFilePath))
{
PathString path = ((ControllerBase)this).HttpContext.Request.Path;
string requestPath = ((PathString)(ref path)).Value;
if (requestPath.Equals("/Setup/SetupWizard", StringComparison.OrdinalIgnoreCase))
{
return (IActionResult)(object)((Controller)this).View("Error", (object)new ErrorViewModel
{
RequestId = "Server already set up.",
ExceptionMessage = "Server already set up.",
StatusCode = 403
});
}
}
return (IActionResult)(object)((Controller)this).View();
}
On visiting this page we can actually set admin credentials!

After setting credentials we can login and inspect services to get the flag

Last updated