json store

_posts/2024-05-06-squ1rrel-json-store.md

@@ -1,7 +1,7 @@
 ---
 layout: post
 current: post
-cover:  assets/squ1rrel/nisala/jsonp-store/cover.png
+cover:  assets/squ1rrel/nisala/json-store/cover.webp
 navigation: True
 title: "JSON Store"
 date: 2024-05-06 09:57:00
@@ -11,14 +11,18 @@ subclass: 'post'
 author: nisala
 ---
 
-challenge description
+Have you ever wanted to store some JSON data really quickly? Have we got the solution for you!
+
+This challenge has the highest number of solves in web, with 74 solves. I created this challenge because when the `taffydb` exploit dropped a few years ago, I was absolutely amazed. This package was getting millions of downloads a week, and it was insanely vulnerable. I checked on it recently, and it still gets half a million weekly downloads, despite massive warnings all over the internet about its vulnerabilities. I figured this would make for a perfect beginner challenge.
 
 # Step 1: Getting our bearings
 
 The interface for this challenge is pretty simple -- we can enter our username, and store arbitrary un-nested string data in a JSON format with our username. We can store as many JSONs as we want under our username, and they can share keys or have different keys.
 
 We can also query these JSON "rows" (different JSON documents) by submitting another JSON with different keys and their corresponding values, and the website will show all rows that matches the key-value pairs that are specified in this JSON (for the provided username, of course).
 
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/challenge-site.png)
+
 The data storage and filtering are managed by a package called `taffy`:
 
 ```js
@@ -36,9 +40,9 @@ And look, the flag's in there too! But we can't query it directly -- `admin` is
 
 taffy's a weird choice for a database, so there must be a reason it was chosen. Let's Google around for `taffy`.
 
-IMAGE OF SEARCH
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/google.png)
 
-IMAGE OF NPM
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/npm.png)
 
 Well, well, well. What could this be?
 
@@ -50,16 +54,16 @@ Amazing. It looks like all we have to query for is the ID of the first element,
 
 Let's try the provided exploit.
 
-IMAGE
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/badexploit.png)
 
 Invalid JSON? Right, because `true` is not a string. Let's change it to `"true"` (filled strings evaluate to true):
 
-IMAGE FLAG
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/goodexploit.png)
 
 And there's our flag.
 
 You can also see that IDs are easily guessable by simply submitting a bunch of data items under your username.
 
-IMAGE
+![Image of the challenge website](/assets/squ1rrel/nisala/json-store/guessable.png)
 
-The IDs are sequential, so it's trivial to find the ID of the flag.
+The IDs are sequential, so it's trivial to find the ID of the flag, and then request it with the `___s` attribute set.

_posts/2024-05-06-squ1rrel-key-server.md

@@ -11,50 +11,7 @@ subclass: 'post'
 author: nisala
 ---
 
-challenge description
+Well, my application is finally making it big -- and I've heard that once you get over 10 users, using kubernetes is basically a must. Come check out my microservices!
 
 ## Step 1: Getting our bearings
 
-In this challenge, we're presented with a simple "web mutex" interface, that allows us to create and lock a mutex, and unlock it given the pasword we got when we acquired the lock.
-
-TODO INSERT IMAGE
-
-Now, as far as I can tell, there's nothing exploitable at all in this -- the operations are very simple, and there's nothing nefarious going on. The flag is stored in the env, but there's no way to get to it using this simple web server code.
-
-However, if you look in the frontend source, you'll see something very curious: a button that takes you to `/flag`. What happens when you go there?
-
-TODO IMAGE OF NOT FOUND
-
-A "Not Found" page. Boring, right? But what if you go to another URL that shouldn't exist, like `/asdf`?
-
-TODO IMAGE OF ACTUAL 404 PAGE
-
-The 404 page is different... but the `/flag` route isn't in the provided source. What's going on?
-
-Let's try running the web server locally. If you download the ZIP file and run `npm install` and then `node index.js`, and go to `localhost:3000/flag`, here's what you see.
-
-TOOD IMAGE OF NORMAL 404 PAGE
-
-Okay, something really weird is going on. This is a normal 404 page. The tampering is gone!
-
-Clearly, something must've changed in the install step. At this point, there are two ways you might notice what's going on:
-
-1. The `package.json` file has a call to `npm update` in the `preinstall` script, which might be changing the paackages. You can then diff the `package-lock.json` against the one in the ZIP file to see what changed.
-2. You might also notice that instead of running `npm install` in the Dockerfile, it runs `npm install --ignore-scripts`, which would skip the `preinstall` `npm update` step. If you run this locally, the weird 404 page shows up. There's definitely something going on with the pacakges, and again, you can diff the `package-lock.json` file.
-
-Diffing this file will show that `express`, despite what `package.json` is telling you, isn't coming from NPM -- it's coming from GitHub. This is an issue with `package.json`. Although typically, when you install a package from GitHub, the source will show up there, it isn't *required* to pass validation when doing a clean install. You can replace it with a simple version number, like it would be with an installation from the NPM registry, and as long as the `package-lock.json` is still there, it'll keep silently installing from GitHub. Even `npm audit` won't show that this is secretly happening.
-
-```json
-"node_modules/express": {
-      "version": "4.19.1",
-      "resolved": "git+ssh://[email protected]/nkalupahana/express.git#ce12ff3ac1377b0e5f371a77460b3938ae15d63b",
-}
-```
-
-If we go to this commit of this repo, what do we find?
-
-TODO INSERT DIFF
-
-Without the `pwd` parameter, we get a 404 page. But with it?
-
-TODO INSERT IMAGE OF FLAG