Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[⭐] Challenge idea : RCE/Reverse shell through captcha submit
See original GitHub issue⭐ Challenge idea
Description
Juice Shop has a manually implemented captcha system, wherein an arithmetic question is generated through randomized strings and then eval is called on that string to generate the answer. This challenge can be implemented two ways:-
Captcha statements are now generated on the client side, and then sent to endpoint which only returns a Captcha Id
-
Add a hidden, unused parameter that takes a captcha statement, evals the answer, updates it in the database and then returns the captchaId. This, according to me, would be more believable as it’s basically based on a deprecated debug variable accidentally left in a manually implemented system.
I would love some feedback on which path to take
The final aim of the challenge could be to read a particular file, as we already have two DoS challenges as of now.
Underlying vulnerability/ies
I guess this could fall under security misconfigurationExpected difficulty
| ✔️ / ❌ | Difficulty |
|---|---|
| ✔️ | ⭐⭐⭐ |
Possible attack flow
The attacker notices that captcha is generated when a request is made to the `rest/captcha` endpoint and a json response is returned which contains the statement under the name `captcha`. They fuzz around a bit and notice that by sending a url parameter of the same name, they can manipulate the json response. This prompts the question, how was the `answer` computed? The most obvious way would be eval. The attacker tries some preliminary code injection and it works. And Viola! the challenge is solvedIssue Analytics
- State:
- Created 4 years ago
- Comments:7 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I like the general challenge idea. Its pretty plausible that a developer would use eval to calculate such a arithmetic riddle.
But I also agree with Björn that already have two similar challenges around RCE, so it’s probably not worth it to add another one.
What what be a real addition would be to have an example on how to set up a proper reverse shell using one of the existing RCE challenges similar to the shaker logger demo. Might be hard to to because the rce are somewhat protected from actually doing real harm.
We already have two types of CAPTCHA challenges (on the Data Export and Customer Feedback screens) and also two challenges where
evalis involved, so I wouldn’t really go for another one to be honest. What is your opinion on that, @J12934 / @wurstbrot?