Helpful Desk

In this challenge security bulletin shows 3 versions of the application

v1.2 shows critical status
After downloading both updates we can use diff to check which files were updated

diff -bur v1_1 v1_2

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/nahamcon2024]
└─ ⚔ diff -bur v1_1 v1_2
Binary files v1_1/HelpfulDesk.dll and v1_2/HelpfulDesk.dll differ
Binary files v1_1/HelpfulDesk.pdb and v1_2/HelpfulDesk.pdb differ

Using Avalonia ILSpy we can decompile the DLL file and inspect different functions
SetupController contains some interesting code and it shows a URL path

public class SetupController : Controller
{
    private readonly string _credsFilePath = "credentials.json";

    public IActionResult SetupWizard()
    {
        //IL_0018: Unknown result type (might be due to invalid IL or missing references)
        //IL_001d: Unknown result type (might be due to invalid IL or missing references)
        if (File.Exists(_credsFilePath))
        {
            PathString path = ((ControllerBase)this).HttpContext.Request.Path;
            string requestPath = ((PathString)(ref path)).Value;
            if (requestPath.Equals("/Setup/SetupWizard", StringComparison.OrdinalIgnoreCase))
            {
                return (IActionResult)(object)((Controller)this).View("Error", (object)new ErrorViewModel
                {
                    RequestId = "Server already set up.",
                    ExceptionMessage = "Server already set up.",
                    StatusCode = 403
                });
            }
        }
        return (IActionResult)(object)((Controller)this).View();
    }

On visiting this page we can actually set admin credentials!

After setting credentials we can login and inspect services to get the flag

PreviousThomas DEVerson NextCurly Fries

Last updated 10 months ago

Helpful Desk

In this challenge security bulletin shows 3 versions of the application

v1.2 shows critical status
After downloading both updates we can use diff to check which files were updated

diff -bur v1_1 v1_2

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/nahamcon2024]
└─ ⚔ diff -bur v1_1 v1_2
Binary files v1_1/HelpfulDesk.dll and v1_2/HelpfulDesk.dll differ
Binary files v1_1/HelpfulDesk.pdb and v1_2/HelpfulDesk.pdb differ

Using Avalonia ILSpy we can decompile the DLL file and inspect different functions
SetupController contains some interesting code and it shows a URL path

public class SetupController : Controller
{
    private readonly string _credsFilePath = "credentials.json";

    public IActionResult SetupWizard()
    {
        //IL_0018: Unknown result type (might be due to invalid IL or missing references)
        //IL_001d: Unknown result type (might be due to invalid IL or missing references)
        if (File.Exists(_credsFilePath))
        {
            PathString path = ((ControllerBase)this).HttpContext.Request.Path;
            string requestPath = ((PathString)(ref path)).Value;
            if (requestPath.Equals("/Setup/SetupWizard", StringComparison.OrdinalIgnoreCase))
            {
                return (IActionResult)(object)((Controller)this).View("Error", (object)new ErrorViewModel
                {
                    RequestId = "Server already set up.",
                    ExceptionMessage = "Server already set up.",
                    StatusCode = 403
                });
            }
        }
        return (IActionResult)(object)((Controller)this).View();
    }

On visiting this page we can actually set admin credentials!

After setting credentials we can login and inspect services to get the flag

PreviousThomas DEVerson NextCurly Fries

Last updated 10 months ago