Nahamsec recently created a CTF when he reached 30k Twitter followers. The only information he gave was here, so there wasn’t really much to go on. This is my write-up; I decided to send my write-up like a bug report. This style of course does not tell the time wasted looking in all the wrong spots, like doing steganography on the JPEG in the above link, or digging on all the wrong server/endpoints.
—————————————————————————————————–
Hello ,
I’ve found a sensitive information disclosure in the API running on http://api-admin.nahamsec.net. Using leaked credentials I was able to access the secret ‘flag’ variable which is obviously a huge risk.
Steps to reproduce
1) Go to https://censys.io/certificates and search for nahamsec.net’ which shows the following certificate: https://censys.io/certificates/2e693fc043379439aeadcce1a9ace91f70e707de616f434215c2010252315098
Notice how it’s valid for the subdomain 30kftw.nahamsec.com
2) Go to http://30kftw.nahamsec.net/ (not https!). The admin area is only allowed from the intranet, but this is easily bypassed by using the X-Forwarded-For header with the correct endpoint, like this:
GET /admin/ HTTP/1.1
Host: 30kftw.nahamsec.net
X-Forwarded-For: 127.0.0.1
Which gives the following reply:
‘Oh!, looks like we have moved our api services to api-admin.nahamsec.net’
3) Go http://api-admin.nahamsec.net which returns 404 Not Found.
4) Go to https://github.com/garagosy/nahamsecCTF2020/blob/master/api.py
There are 2 issues here: First, the api.py leaks full credentials, and second, going to the past commit #4a0dc54 leaks the path: doc=’/swagger’. Note down both.
5) Go back to http://api-admin.nahamsec.net/swagger (the path from step 4). We now have access to the top secret Get_Flag API.
Initially both API endpoints return 500 Internal Server Error, but /api/getflag also accepts GET requests, which return Unauthorized Access with this header:
WWW-Authenticate: Basic realm=”Authentication Required”
Meaning the endpoint expects HTTP authentication.
6)
Make the following Curl request to the API endpoint from step 5 (with the credentials from step 4):
curl -u BugHunters:4dawin -X GET "http://api-admin.nahamsec.net/api/getflag" -H
"accept: application/json"
Result:
{ "Flag_is": "You are such a guru!, send this to winner@nahamsec.dev"
}
Impact
Exposure of the secret Flag variable which can spell untold disaster for your company.
Remediation
1) http://30kftw.nahamsec.net/admin/ should not allow bypassing via the X-Forwarded-For header.
2) Remove credentials and path leak at https://github.com/garagosy/nahamsecCTF2020/