ASIS Web Mail

ASIS CTF

Task: access an admin-only FLAG bucket in a microservices webmail application. Solution: exploit CRLF injection in a Go binary's http+post:// URL handler that URL-decodes the path before raw TCP, smuggling HTTP requests with X-User-Id:999 admin header to the internal ObjectStore.

flask ssrf postgresql header_injection nginx gunicorn crlf_injection http_request_smuggling go_binary_reversing microservices xml_parsing url_decoding

SSRF via custom URL scheme (http+post://)CRLF injection through URL-decoded pathHTTP Request Smuggling to inject admin headersGo binary reverse engineering for protocol analysisMicroservices architecture exploitation

$ ls tags/ techniques/

flask ssrf postgresql header_injection nginx gunicorn crlf_injection http_request_smuggling go_binary_reversing microservices xml_parsing url_decoding

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Board of Secrets Revenge— miptctf
[web][Pro]board_of_secrets— miptctf
[web][Pro]Lab 307 — CrewHub — File Upload RCE via Polyglot JPG/PHP— hackadvisor
[web][Pro]Lab 109 — TaskForge — IDOR in Account Settings API— hackadvisor
[web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor