Helpful Desk

In this challenge security bulletin shows 3 versions of the application

• v1.2 shows critical status

• After downloading both updates we can use diff to check which files were updated

diff -bur v1_1 v1_2

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/nahamcon2024]
└─ ⚔ diff -bur v1_1 v1_2
Binary files v1_1/HelpfulDesk.dll and v1_2/HelpfulDesk.dll differ
Binary files v1_1/HelpfulDesk.pdb and v1_2/HelpfulDesk.pdb differ

• Using Avalonia ILSpy we can decompile the DLL file and inspect different functions

• SetupController contains some interesting code and it shows a URL path

public class SetupController : Controller
{
    private readonly string _credsFilePath = "credentials.json";

    public IActionResult SetupWizard()
    {
        //IL_0018: Unknown result type (might be due to invalid IL or missing references)
        //IL_001d: Unknown result type (might be due to invalid IL or missing references)
        if (File.Exists(_credsFilePath))
        {
            PathString path = ((ControllerBase)this).HttpContext.Request.Path;
            string requestPath = ((PathString)(ref path)).Value;
            if (requestPath.Equals("/Setup/SetupWizard", StringComparison.OrdinalIgnoreCase))
            {
                return (IActionResult)(object)((Controller)this).View("Error", (object)new ErrorViewModel
                {
                    RequestId = "Server already set up.",
                    ExceptionMessage = "Server already set up.",
                    StatusCode = 403
                });
            }
        }
        return (IActionResult)(object)((Controller)this).View();
    }

• On visiting this page we can actually set admin credentials!

• After setting credentials we can login and inspect services to get the flag