webPromedium

Bug Bounty-code

hackerlab

Task: Flask web app with user registration/login where is_admin is hardcoded to false; user input is concatenated into JSON without escaping. Solution: inject closing quote and additional is_admin key into password field, exploiting Python json.loads() duplicate-key-last-wins behavior to escalate to admin.

$ ls tags/ techniques/

flask authentication_bypass python base64 werkzeug privilege_escalation parameter_pollution json_injection bbcode

json_string_injection_via_unescaped_inputduplicate_json_key_exploitationprivilege_escalation_to_adminhidden_hint_discovery_base64_in_bbcode

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Состояние 0x7F— hackerlab
[web][Pro]Лысина админа (Admin's Bald Head)— duckerz
[web][Pro]Привилегированный гость (Privileged Guest)— hackerlab
[web][Pro]Dosie X (Dossier X)— hackerlab
[web][Pro]SQLAlchemist— miptctf