Continue Y/N — Cyber Maze Challenge V25
Continue Y/N — Cyber Maze Challenge V25
This challenge chains Local File Read, JWT forgery for admin escalation, SSRF, and SQL query execution to retrieve the flag.
Recon & Registration
Upon opening the web app we find a simple login/register page. We create an account with random creds and log in.
File Upload & Directory Traversal
We discover we can upload files and download them.
We intercept the download request with Burp.
We try changing the filename to flag.txt — no such file. We try a non-existent file to trigger an error.
The error leaks the path routers/main.js. The filter strips ../ but can be bypassed with ....// — the inner ../ gets removed, leaving ../.
Source Code Analysis
We successfully retrieve routers/main.js:
Key findings from the source:
- JWT secret in
helpers/JWTHelper.js:C3n7uRY0uN20******** - Admin middleware restricts certain routes
- SSRF via SMS test API
- SQL execution endpoint at
/api/sql/execrequiring admin + localhost + password
JWT Forgery
We find the JWT secret:
Using JWT Auditor we forge a new token with username admin:
Replace the session cookie and we’re admin.
Admin Panel & SSRF
The admin panel has SQL terminal and SMS config:
SQL terminal requires localhost access:
We go to SMS config:
Intercept the test connection request:
We test for SSRF with a netcat listener and confirm it works.
The LocalMiddleware checks remoteIp !== '127.0.0.1' && hostHeader !== '127.0.0.1:4002'. We set the URL to http://127.0.0.1:4002:
SQL Execution via SSRF
We use the SMS test API to POST to /api/sql/exec — first gets access denied, so we add our admin session token in headers.
We need the SQL password from config.js: d7aXhuL4ZKKwyuES7UNutrEq
RCE & Flag
The execQuery function allows running system commands via SELECT * FROM \whoami`` syntax with a whitelist of allowed commands.
We run commands to find and read the flag.
Flag: CM{example_flag} (placeholder — actual flag redacted)