Introduction

This challenges includes multiple components:

• An Angular frontend
• A simple PHP file to upload and retrieve image files, served by an Apache webserver
• A nginx reverse-proxy to serve both the frontend and PHP backend under a unified gateway
• A browser bot, which has the challenge’s flag in its cookies. Participants can coerce into browsing arbitrary URLs to trigger client-side exploits (e.g: XSS)

The application is a simple blog that displays articles from static resources:

The only user input it takes is the selected article’s ID:

It uses this ID in the path of a client-side HTTP request performed on the website’s “API”, it retrieves the article’s content from static JSON files:

This “API” is a mock and only maps to static files. (this is not relevant for solving the challenge)

Guessing the intended exploitation path

The previously highlighted HTTP request sink immediately caught my attention: