top of page
  • Writer's pictureDonald Ashdown

Hack the Box - WEB - Juggling facts

Updated: Feb 8


An organization seems to possess knowledge of the true nature of pumpkins. Can you find out what they honestly know and uncover this centuries-long secret once and for all?

Solution Summary
  1. Enumerate web application

  2. Discover CVE Versions

  3. Source code review

  4. Exploitation


1) Enumerate web application

We start by reviewing the web application. It appears as a basic web application with only 3 user facing objects that appear to be interactive.

Clicking on the 'Secret Facts" link brings us to an interesting page where it appears that there are resources "Secrets" which can only be access by an administrator.

2) Discover Version CVE

We have three dependencies to review.

  1. Express 4.17.1

  2. flat 5.0.0

  3. pug 3.0.0

The express framework is a web framework for node.js, a JavaScript framework that executes server side code outside of the web browser. It allows developers to write command line arguments and functions, allowing the JavaScript environment processing to happen in the back end and the final product served up to the client. This also reduces the attack surface for web application javascript enumeration and identification. We also learn that out version is fairly up to date, and the available of public and applicable CVE's will be limited.

Flat is a JavaScript package that allows you to take a nested JavaScript object of arrays and flatten it, or unflatten an object with delimited keys. So you could take a nested JavaScript objects and remove the nesting to have everything in one array, until you decide to unflatten it. We see that our version is 5.0.0, while the active version is 6.0.0. This opens the attack surface to useable CVE's

Pug is a high performance template engine implemented with javascript for node.js and browsers. The most current version is 3.0.2 and our target machine is 3.0.0 so we are unlikely to find known CVE's.

Having looked at the above dependencies, it is safe to say the more of a current version gap that exists, therefore public CVE's may be available. With this being said, the flat dependency has our largest version gap and will be our next focus.

3) Source Code Revi

Source Code Review Summary

Our target application is has a secrets section on the webpage that we don't have permissions to access. Analyzing the source code reveals that the php application is looking for data type "secrets", and not a remote address in order to reveal the flag.

If I understand correctly, PHP Type Juggling is the attack surface, as there was not a strict comparison "===" that came after the initial if statement, right before the switch case where "secrets" can be found.

I found source code review to be time consuming and can often send me in multiple directions. For this challenged I started high level with the index file seen below. The index file contains interesting variables, functions, credentials, and workflow data.

Firstly, the user root and the corresponding password. This is probably so we can setup the lab locally for testing via the docker file that was provided with the challenge.

Secondly is the controller and model directory found in the function spl_autoload_register.

Thirdly is the variables $database and $router. When conjoined with the api workflow that we can identify in the $router variable, we should be narrowing down our attack surface.

Eventually you will make your way across the "Index Controller(.)php file which will provide us our next step in this challenge. I can break down the below code into 4 important points.

  1. The function is looking for data, I suspect this is user input. public function getfacts($router)

  2. The if statement is checking if the user input is type secrets AND the remote address is a local host. The local host part I think is geared towards the provided files which allow us to spin up a local service via Docker. Here we do not have a vulnerability as the strict type comparison was used "===". if ($jsondata['type'] === 'secrets' && $_SERVER['REMOTE_ADDR'] !== '')

  3. A switch case is defined based on user input. However, there is no vulnerability as "===" and "!==" are strict comparisons. switch ($jsondata['type'])

  4. This is where the magic happens. We actually don't have vulnerable code in the traditional sense as it relates to PHP. What we instead have is a switch case misconfiguration. While I didn't realize this until I had finished solving the challenge and asked around for help as I was confused why my solution worked.

Having found that there is a route to 'secrets' but we don't know what it is. Further exploring into the "" file which is a file that runs with the docker container at start reveals it holds the flag.

4) Exploitation

6 views0 comments
bottom of page