Frost Tower Website Checkup

Information

FrostFest - Jack's Studio

Frost Tower Website Checkup

Difficulty: 5/5

Investigate Frost Tower's website for security issues. This source code will be useful in your analysis. In Jack Frost's TODO list, what job position does Jack plan to offer Santa? Ribb Bonbowford, in Santa's dining room, may have some pointers for you.

Site: https://staging.jackfrosttower.com/ Source Code: https://download.holidayhackchallenge.com/2021/frosttower-web.zip Tremendously: https://www.npmjs.com/package/express-session Valuable: https://github.com/mysqljs/mysql

Conversations

Pasted image 20220909214934 Pasted image 20220909214938

Solution

Ok, I started looking through the code, and I saw a few SQL references, stuff like email entry but the input was ran through escape().

There code for /detail/:id didn't look escaped at first, but on closer inspection I think it is. Pasted image 20220909215012

I realized that if I submitted a contact page, I would then be able to see that information reflected when I went to the correct id at /details/:id. Pasted image 20220909215048 Hm, looks like powershell is installed on this machine? Pasted image 20220909215102 Yup. Pasted image 20220909215204

I ran out of time and did not complete this objective.

Next: obj-13

Cyber Security Notebook

Frost Tower Website Checkup

Information

Conversations

Solution