search
HomePlaygroundOSCPBuy Me a Flag 🚩

Baby Developer

Directory traversal in insecure Vitepress development server leads to information disclosure through SSRF

hashtag
Description

I made a mobile (apple watch miniminimini series 1337) viewer on my personal server.

  • http://baby-developer.chal.acsc.asia:8888/

  • ssh baby-developer.chal.acsc.asia -p2222

hashtag
Solution

  • There is a genflag server which you are supposed to SSRF

  • However, the remote address and user agent are checked so you can't do it directly from mobile-viewer

  • The pages are rendered as screenshots

@app.route('/flag')
def hello_world():
    if request.remote_addr == dev and 'iPhone' not in request.headers.get('User-Agent'):
        fp = open('/flag', 'r')
        flag = fp.read()
        return flag
    else:
        return "Nope.."

From mobile-viewer, we need to request http://genflag/flag from website. This can be done from /home/stypr/readflag on website.

Refer to the website sourcearrow-up-right. The website server runs yarn dev, which runs vitepress dev src.

Vitepress is run on dev mode. I found that this enables CORS, allowing us to perform a CSRF to exfiltrate data. Furthermore, I found that there was a path traversal vulnerability, allowing us to get the SSH key: http://website/../../../../../home/stypr/.ssh/id_rsa

From mobile-viewer, we can make a request to our attacker site, which contains:

Get the private key and SSH into the server to get the flag:

PreviousFavorite EmojisNextAPI

Last updated