BugPoC Hack The Amazon Interview CTF — Memory Leak Challenge

This is the first time giving myself a try on a BugPoC challenge.

Goal: Find the SECRET_API_KEY!!!

LET’S HACK

Then, as usual, i did a recon on the page and found nothing apart from 2 useless endpoints: one is a common not vulnerable “/ping” endpoint, the other one is “/heapdump” sound interesting but “401 Unauthorized”:

I started my manual testing from review the script.js file. As a result, i knew 2 important things:

  • Basic usage of the APIs is processing two custom headers to back end server (x-param and x-fingerprint and both of them are encrypted).
  • There is an interesting endpoint “/fingerprint” which gives me new encrypted fingerprint value every time.

Request with one of the provided PARAMS’s value give us the path queried in the back end, the status code and body value in the response:

I try to request directly the path query in the back end but the server just deny access as expected. The server responses that Error, this endpoint is only internally accessible

Since, i knew that the only way to query something juicy from back end (could be the SECRET_API_KEY) is through the usage of x-param & x-fingerprint headers which would be processed successfully.

At first, I did some research about the encryption of these value, try to crack it in order to modify to the value that i want to be processed by the back end. However, it was hopeless! T.T

While fuzzing with many values of x-param and only receiving the same message ERROR: Unable to Decrypt meaning that the back end only process when it can decrypt the right encrypted text,

there was a spark in my mind that x-fingerprint is also a valid encrypted text!!! I gave it a shot to copy the x-fingerprint value to value of x-param in the request and sent it to see what would happen. And yeah, that was an important shot and open the gate to the solution!!!

Of course, there was no ERROR: Unable to Decrypt anymore, the server processed successfully and the value of fingerprint made the path's value requesting to back end changed and replaced by the value of my request's User-Agent. One big conclusion here was x-fingerprint's value is encrypted text of request's User-Agent.

Now, the interesting endpoint “/fingerprint” found above came into the play. I tried to change value of User-Agent and requested to have a new fingerprint

and replace that value to the x-param of request at “/get-dogs”:

As you can see, our control value was truly reflected in the path’s value.

I knew that i could control the path’s value requested to the back end, so i took into account that if it is possible for me to traverse back to the “/” dir and request to the “/ping” endpoint. Unfortunately, the dot dot slash was removed before parsing it to backend:

Request to get the encrypted text of {“UA”: “/../ping”}
Request to parse the encrypted text above as param

I began to try bypassing and i found that the server only remove the first appearance of dot dot. It was confirmed by request with 4 dots.

However, it was not right since missing one slash.Basically, same technique i put one more slash and YEAH! (^▽^)

Got the body value “Healthy Connection” — the same with GET /ping

I could request anything from “/” now, but didn’t know what to get from back end now. Suddenly, i remembered that i had already found a restricted endpoint “/heapdump?”. Let’s find what in it:

Response heapdump data with SECRET_API_KEY

Eventually, there was what we need SECRET_API_KEY with value flag{gr8_job_h@cker} in the response of "/heapdump?"

BugPoC Proof-of-Concept:

BugPoC ID: bp-sAODin9E

Password: vIbRaNTbAt83

I also created an one-click exploit BugPoC python script to create a new exploit param and send it:

BugPoC ID: bp-Ox6FCgVX

Password: MOdUlaRFroG67

Summary