Cyber Apocalypse 2022 — Blinker Fluids

Blinker Fluids was a Web challenge in Cyber Apocalypse 2022.

The challenge files could be downloaded and to retrieve the flag we had to exploit a running instance.

The vulnerability

The vulnerability which we had to exploit is CVE-2021-23639 and it has a CVSS score of 9.8. The following links describe the vulnerability:

Remote Code Execution (RCE) in md-to-pdf | CVE-2021-23639 | Snyk

Security: gray-matter exposes front matter JS-engine that leads to arbitrary code execution · Issue…

Developing the exploit

Because we had the code, I was able to spot the vulnerable code. I have modified the code, so it uses the payload as markdown:

After running it by creating a new PDF in the web UI, the RCE worked.

Next I have removed the modification and captured the request with Burp Suite. Then I have put the payload into the body:

After opening the PDF file, there was just the text “RCE”:

And the RCE worked!

Getting the flag

From the Dockerfile, which builds the Docker container for the challenge, we could see, that the flag is located in /flag.txt. Next I have started a HTTP server on localhost:8000. I have forwared it with Ngrok, so it is possible to connect to it via the Internet. Finally I have used the following payload, so the vulnerable web app reads the flag and sends it to my web server:

I have intercepted the request for creating the PDF and add the payload to the request body:

After that I was able to retrieve the flag. Please note that the curly braces are missing:

HTB{bl1nk3r_flu1d_f0r_int3rG4l4c7iC_tr4v3ls}