• Tue. Mar 2nd, 2021

Objective 8 – Broken Tag Generator

Byscrewtopkittens

Jan 18, 2021 ,

For the broken tag generator the first step is to load up a burp proxy and try uploading pictures/ non pictures and look at the results. When uploading an erroneous file we get the following error screen:

And when we upload a successful image we get a get request to the uploaded image https://tag-generator.kringlecastle.com/image?id=<FILENAME.PNG> which loads the picture file from the id parameter. This made me think maybe we could perform directory traversal using this so I ran the following curl https://tag-generator.kringlecastle.com/image?id=/../../../app/lib/app.rb this provided the ruby source code.

Looking in the source code I could see that validation on the images API call had been commented out.

This explains the directory traversal. So the original request had been to obtain the value of GREETZ so I thought to keep it simple and first try grab this from the tmp directory as that is where uploads are stored this proved to provide the answer.

References

https://tag-generator.kringlecastle.com
https://portswigger.net/web-security/file-path-traversal

Scroll Up