PwnSec Shop Web Challenge Write-Up - PwnSecCTF 2024

This is a write-up for my web challenge that I wrote for PwnSec CTF 2024

PwnSec Shop

Files: pwnsec-shop.zip

After reviewing the source code of the shop, we find out that it implements an RBAC (Role Based Access Control) with roles: admin, vendor, customer, and guest, where each have specific permissions on different models such as: product, order, user, and productRequest.

A user can register as a customer or as a vendor.

A vendor can submit a new product for admins to approve.

Users can change their password in /profile

When reviewing the source code for the change password functionality we can see that it accepts any parameters sent in the request body and places them in the user entry.

This means that instead of sending password=newPassword we can send role=admin to update our role to be able to access the admin functionalities.

After logging in again we can see new pages (admin pages) on the navigation ba.

In /admin/product-photos admin can view all image files for products on the server.

By viewing one of them, we notice a parameter called file in the URL.

By checking the source code for this functionlity we can clearly see that it accepts any input from us, so maybe we can make some path traversal and read /flag.txt.

/admin/product-photos/view?file=../../../../../../../../../../flag.txt