Opening the given URL we can find a web shop..
If we open the items, we can can see URLs like http://staywoke.hax1.allesctf.net/products/3. If we iterate over the different numbers we can find a product, which we could not find in the shop. The product one (http://staywoke.hax1.allesctf.net/products/1) is called flag.
In the banner we can find a 20% coupon. It is possible to add up to ten items in the to the shopping cart and apply the coupon. The coupon is added as a item to the chart with an absolut value of 20% the current chart. We are able to add items to the chart, apply the coupon and remove the items again to get a €-2 bill. The coupon is not valid for the flag item and we can get €-2 as a maximum.
Now we take a look at the checkout procedure. There is a parameter paymentEndpoint
which leads to server-side request forgery (SSRF), but we are not able to connect to our own hosted site.
payment=w0kecoin&account=1&paymentEndpoint=http://payment-api:9090/
If we insert an invalid endpoint like http://payment-api:9090/a
we get the following error message.
Error from Payment API: "Cannot GET /a/wallets/1/balance\n\nTry GETting /help for possible endpoints."
To query the help endpoint we have to cut of the part appended by the application to our given paymentEndpoint
. This can be achieved by appending a ?
, so everything appended will be handled as a parameter. Using http://payment-api:9090/help?
results in the following output.
Error from Payment API:
{
"endpoints": [
{"method":"GET","path":"/wallets/:id/balance","description":"check wallet balance"},
{"method":"GET","path":"/wallets","description":"list all wallets"},
{"method":"GET","path":"/help","description":"this help message"}
]
}
We can query the wallets with http://payment-api:9090/wallets?
.
Error from Payment API: [{"account":"1337-420-69-93dcbbcd","balance":133500}]
We can find one account with a balance of €1335. The flag coasts €1337 so we first have to apply the €2 discount as described before to buy the flag item.