This was an interesting challenge, a special sponsor challenge from Context so I appreciated the punny name!
TL;DR was an SSRF exploit that we could use to extract data from a couchDB instance listening on the local interface.
Sadly, since I no longer have access to the challenge I do not have any screenshots.
The challenge was a simple form that would perform a curl request to whatever url you gave it and would return the first 200 bytes of the response base64 encoded. The solution is to use this to essentially port scan the machine via this form, allowing us to see services that should only be available locally.
The quickest way to do this is to use wfuzz or burp intruder to loop through all “http://localhost:x” where x is a port number. Since I don’t have a Burp Pro (pls give us some if someone is feeling generous. Plox) I had to use wfuzz. wfuzz the command would be
wfuzz -w nums.txt -u “http://connair/index.php?url=http://localhost:FUZZ”
Where nums.txt is a file containing numbers [0,65535]. A quick way to do this is python -c “for x in range(65535): print x” > nums.txt
This will loop through all of the ports at a decent speed, wfuzz has been a great tool on a lot of challenges I’ve done so it’s good to get familiar with it.
Eventually we found a port open on 5984, that informed us this was a CouchDB backend. Awesome, some progress! Note: we had (somewhat embarrassingly) spent a lot of time on this challenge up until this point.
CouchDB is a NoSQL database, so we have a nice REST api to interact with. CouchDB is just a key => document store, so now it was a task to find the right database and key! Querying http://localhost:5984/_all_dbs gave me a promising DB called “flag”. In couchDB access is done by the format http://server/DB/Key, all we needed now was the key. Thankfully we can also do that, http://localhost:5984/flag/_all docs returns all keys on the instance.
Looking at this we see a lovely value to the effect of “s3cr3tv4lu3” so a final request to “http://localhost:5984/flag/s3cr3tv4lu3” is enough to net us the flag and first solve of the challenge at InterACE!
A fun challenge, and our thanks go out to Cambridge University for hosting a great event, and Context for writing this challenge and providing the medals we earned for the effort.