[Web] Plantopia

The following landing page can be seen:
lol it didn't load
With the credentials given through the challenge description, we get to see the list of plants.
lol it didn't load
We are also curious about the login session data used.
lol it didn't load
It’s a base64 and the decoded string is:
lol it didn't load
It seems a very simple structure of a session data. What if we set the 0 value to 1?
lol it didn't load
lol it didn't load
We suddenly got an “Admin” button on the dashboard! Checking it out, we can see that it lets us select a plant. Aside from the Admin page, we also have “API Docs” button and it sends us to the Swagger UI.
lol it didn't load
As can be seen above, there are numerous API endpoints. However, there’s only two that’s very important for us: (1) /api/admin/settings
lol it didn't load
It looks like the alert_command is an actual bash command. Another important API endpoint is (2) /api/admin/sendmail.
lol it didn't load
Befor we can use these APIs, we should set an API key first. The modified base64 blob that we had earlier can be used.
lol it didn't load
In the /api/admin/settings, we replaced the sendmail command with a reverse shell.
lol it didn't load
However, we received an error that there should be a “/usr/sbin/sendmail” on the payload.
lol it didn't load
So we updated it to the following:
lol it didn't load
It got accepted!
lol it didn't load
We can then send request to /api/admin/sendmail to trigger the execution. And we got a root shell!
lol it didn't load
We can find the flag on /srv/app.
lol it didn't load