search

Equestria

hashtag
[★★☆] Equestria - Door To The Stable

hashtag
Description

We are suspecting that the website on http://exp.cybergame.sk:7000/arrow-up-right is hiding something. We need to find out what is hidden in the website. We've gathered what seems to be a proxy configuration file from our trusted source.

Download: nginx.confarrow-up-right

hashtag
Config

events {
    worker_connections 1024;
}

http {
    include mime.types;

    server {
        listen 80;
        server_name localhost;

        root /app/src/html/;
        index index.html;

        location /images {
            alias /app/src/images/;
            autoindex on;
        }

        location /ponies/ {
            alias /app/src/ponies/;
        }

        location /resources/ {
            alias /app/src/resources/;
        }

        location /secretbackend/ {
            proxy_pass http://secretbackend:3000/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

hashtag
Solution

Equestria_Door_To_The_Stable.png

Nothing fancy on the frontend, but there's a Reverse Proxy running from http://exp.cybergame.sk:7000/secretbackend/arrow-up-right

However it requires authentication.

Equestria_Door_To_The_Stable-1.png

The nginx.conf has 4 location blocks, so 4 routes which go somewhere else.

If you look closer you might notice that /images is missing a slash, this is a very bad practice in nginx which is know as Nginx-Off-Slasharrow-up-right

And just like that we bypassed the authorization

Equestria_Door_To_The_Stable-2.png

Download source

db.js contains hardcoded credentials for database. One of the users has a SECRET_NOTE which should probably be flag to solve the challenge.

Equestria_Door_To_The_Stable-3.png

or not...

Equestria_Door_To_The_Stable-4.png
circle-check

Flag: SK-CERT{0ff_by_4_s1ngle_sl4sh_f836a8b1}

hashtag
[★★☆] Equestria - Shadow Realm

hashtag
Description

The secret website is protected by a login page. Can you find a way to get in?

hashtag
Solution

This is a follow up challenge to previous one, now we have to login into the application and find another flag.

Creds: pr1ncess:SK-CERT{0ff_by_4_s1ngle_sl4sh_f836a8b1}

Equestria.png

The following route is interesting. There's no mention of what is_d4rk_pr1nc3ss method is, but if we had to guess it probably means we are logged in as pr1ncess, but not with the HTTP Basic Authentication.

The token is not generated if we login using this secret Authorization value.

We have code for JWT, but the Secret value is randomly generated string.

Equestria-1.png

Let's register and login to see what happens.

After reviewing the code I found that there's a Race Condition. sendEmailToAdministrator halts the logic of register API, and we have exactly 1 second to login into the application before verified becomes false.

Equestria-2.png

Note: Not 110% winner 😳, may need to rerun to win the race~~

circle-check

Flag: SK-CERT{r4c3_4g41n5t_th3_l1ght_4nd_w1n_w1th_th3_p0w3r_0f_th3_n1ght}

hashtag
[★★☆] Equestria - The Dark Ruler

hashtag
Description

There seems to be an endpoint that is only accessible by a privileged user. Can you find a way to access it?

hashtag
Solution

Okay, now that we are able to login our focus shifts towards /api/secret-note denoted by the description.

Source:

Initially I thought is_d4rk_pr1nc3ss was some hidden attribute we didn't have access to, but no! It literally is a non-existant key in the json payload

The JWT token is split into 3 parts

  1. Metadata

  2. Payload

  3. Signature

Equestria-3.png

verifyToken returns the Payload as part of Javascript dictionary object if the signature matches with defined logic.

The Metadata part is always hardcoded to eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9, also I just realized there's no actual JWT library, just raw functions acting like JWT authentication.

verifyToken is very fishy, but can't seem to put finger on why.

  1. It checks that given JWT contains 3 parts, but never checks if there's more (and frankly doesn't care)

  2. expectedSignature is calculated from JWT_SECRET + parts[parts.length - 2] (second item from the end, which should always be Payload but can be anything since parts can be more then 3)

TLDR: We need payload to be like

The code is flawed, and if we have something like this we are golden!

For above to work we need valid token from application and then we can forge it.

circle-check

Flag: SK-CERT{1_w1ll_rul3_th3_n1ght_4nd_th3_d4y}

hashtag
[★★☆] Equestria - Final Curse

hashtag
Description

The last piece of information we need should be in the notes of one of the users. We need to find it.

Disclaimer: Was not able to solve within given time.

hashtag
Solution

The only code where SQLi is possible is here:

Database type is Postgres and the filters are very limited. To begin SQLi we somehow need to escape the quotes, but can't since it's blocked.

Resource: github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.mdarrow-up-right

Turns out it was never about SQL, but Javascript...

Equestria-4.png
Equestria-5.png

Credit: trololo1004 (Discord)

Writeup 2: lukaskuzmiak: cybergame.sk-2025-writeups, Equestriaarrow-up-right

Flag: `SK-CERT{j4v4scr1p7_1s_full_of_curs3d_(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]] +([][[]]+[])[+[]]+(![]+[])[+[]]+(![]+[])[+[]]}`

PreviousWebNextJAILE

Last updated