ctfweblfijwtssrfsqlirce

Continue Y/N — Cyber Maze Challenge V25


Continue Y/N — Cyber Maze Challenge V25

This challenge chains Local File Read, JWT forgery for admin escalation, SSRF, and SQL query execution to retrieve the flag.

Recon & Registration

Upon opening the web app we find a simple login/register page. We create an account with random creds and log in.

Login page Dashboard after login

File Upload & Directory Traversal

We discover we can upload files and download them.

Upload feature Download feature

We intercept the download request with Burp.

Burp interception Download request

We try changing the filename to flag.txt — no such file. We try a non-existent file to trigger an error.

Flag.txt attempt Error message

The error leaks the path routers/main.js. The filter strips ../ but can be bypassed with ....// — the inner ../ gets removed, leaving ../.

Path traversal bypass Bypass payload

Source Code Analysis

We successfully retrieve routers/main.js:

Main.js output

Key findings from the source:

  • JWT secret in helpers/JWTHelper.js: C3n7uRY0uN20********
  • Admin middleware restricts certain routes
  • SSRF via SMS test API
  • SQL execution endpoint at /api/sql/exec requiring admin + localhost + password

JWT Forgery

We find the JWT secret:

JWT secret

Using JWT Auditor we forge a new token with username admin:

JWT forgery

Replace the session cookie and we’re admin.

Admin dashboard

Admin Panel & SSRF

The admin panel has SQL terminal and SMS config:

Admin panel

SQL terminal requires localhost access:

SQL terminal

We go to SMS config:

SMS config

Intercept the test connection request:

SMS test request

We test for SSRF with a netcat listener and confirm it works.

SSRF confirmed

The LocalMiddleware checks remoteIp !== '127.0.0.1' && hostHeader !== '127.0.0.1:4002'. We set the URL to http://127.0.0.1:4002:

Localhost bypass

SQL Execution via SSRF

We use the SMS test API to POST to /api/sql/exec — first gets access denied, so we add our admin session token in headers.

SQL exec with session

We need the SQL password from config.js: d7aXhuL4ZKKwyuES7UNutrEq

SQL exec with password

RCE & Flag

The execQuery function allows running system commands via SELECT * FROM \whoami`` syntax with a whitelist of allowed commands.

We run commands to find and read the flag.

Flag: CM{example_flag} (placeholder — actual flag redacted)