<aside> <img src="https://media.lordicon.com/icons/wired/flat/74-navigation.gif" alt="https://media.lordicon.com/icons/wired/flat/74-navigation.gif" width="40px" />

Navigation

**home | writeup**

</aside>

<aside> <img src="https://media2.giphy.com/media/2A4A9kI7YFXC789O7A/giphy.gif?cid=6c09b952nklivxw4l0n1vi70ffpthvq0sgj98kn76brxnr08&ep=v1_gifs_search&rid=giphy.gif&ct=g" alt="https://media2.giphy.com/media/2A4A9kI7YFXC789O7A/giphy.gif?cid=6c09b952nklivxw4l0n1vi70ffpthvq0sgj98kn76brxnr08&ep=v1_gifs_search&rid=giphy.gif&ct=g" width="40px" />

Quote

“The biggest room in the world is the room for improvement“ – Helmut Schmidt

</aside>

<aside> <img src="/icons/table_green.svg" alt="/icons/table_green.svg" width="40px" />

i. Table of Content

</aside>

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

</aside>

<aside> <img src="/icons/table_green.svg" alt="/icons/table_green.svg" width="40px" />

ii. TL;DR

</aside>

<aside> 💡

The Insomnia web challenge involves exploiting an authentication bypass vulnerability in a PHP CodeIgniter application. The login endpoint fails to properly validate JSON request fields, allowing authentication as administrator by sending a request with "username" but omitting "password". This grants access to view the flag in the profile page. The vulnerability stems from improper input validation where the login function only checks for exactly two JSON keys without verifying which specific keys are present.

</aside>

<aside> <img src="/icons/table_green.svg" alt="/icons/table_green.svg" width="40px" />

iii. Pwn3d

</aside>

Owned Insomnia from Hack The Box!

Pwned

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

1. Analysis

</aside>

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

1.1 Source Code

</aside>

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

1.1.1 Dockerfile

</aside>

The application runs on PHP 8.1 and Apache web server as described in the Dockerfile.

Dockerfile

Dockerfile

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

1.1.2 entrypoint.sh

</aside>

In entrypoint.sh, a database named insomnia.db is created with a single table called "user" containing username and password columns. The script then inserts a row with the username "administrator" and a randomly generated password. Additionally, the JWT_SECRET is dynamically generated using OpenSSL. This means that neither bruteforcing the administrator password nor the JWT_SECRET is a viable approach.

entrypoint.sh

entrypoint.sh

<aside> <img src="/icons/location_green.svg" alt="/icons/location_green.svg" width="40px" />

1.1.3 Code Igniter

</aside>