Pwn is one of the more difficult categories to get started with. This is partially due to the setup required in order to efficiently solve pwn challenges. This post aims to introduce a workflow you can use for solving any pwn challenge.
This challenge consists of an assembly program and simulated CPU with the goal of running the program on the CPU. But we had no way to assemble the program. So we first had to write an assembler for it.
Epsilon was a medium Cloud challenge. It starts with an exposed git repository that contained AWS credentials. With this you can discover a lambda function that contains the JWT secret. Now you can authenticate with the website at port 5000 and use a Server Side Template Injection to get a shell and the flag.
Use SQL Injection and Server Side Template Injection to get the user. Use the mounted home directory and a mknod privilege escalation with Docker to get the root flag.
TL;DR: Abuse JKU claim misuse in combination with unrestricted file upload to gain admin access. Perform request smuggling to bypass HAproxy ACL rules and use XSS to let puppeteer retrieve admin secret from CouchDB REST API.