added writeups

[pub/jan/ctf-seminar.git] / writeups / smashing / seccon19.md

# Retrospective
The CTF was quite fun and used some vulnerabilities which were revealed not that long ago. 

Time spent: ~ 13 hours

# Option-Cmd-U (solved)
## Overview
There are two servers one host for the webpage and another one hosting the flag which is only accessible on the local network. The webpage allows to make requests to other pages and is eventually used to request the flag.

## Approach
The source for the webpage is provided and listed below:
```
<?php
if (isset($_GET['url'])){
    $url = filter_input(INPUT_GET, 'url');
    $parsed_url = parse_url($url);              
    if($parsed_url["scheme"] !== "http"){
        // only http: should be allowed. 
        echo 'URL should start with http!';
    } else if (gethostbyname(idn_to_ascii($parsed_url["host"])) === gethostbyname("nginx")) {
        // local access to nginx from php-fpm should be blocked.
        echo 'Oops, are you a robot or an attacker?';
    } else {
        // file_get_contents needs idn_to_ascii(): https://stackoverflow.com/questions/40663425/
        highlight_string(file_get_contents(idn_to_ascii($url),
                                            false,
                                            stream_context_create(array(
                                                'http' => array(
                                                    'follow_location' => false,
                                                    'timeout' => 2
                                                )
                                            ))));
    }
}
?>
```

Quickly one can see that the address of the provided `host` must not match the address of `nginx` in the first check while still being the same when requesting the file. On a closer look the different usages of `idn_to_ascii` stand out and hint a potential vulnerability.

First we need to trigger the `Oops, are you a robot or an attacker?` message to ensure we are requesting to the correct server which can be done with the following input: `http://nginx`.
First we tried to insert arbitrary UTF-8 characters. Sadly this lead to an URL containing punycode (i.e. `xn--http://nginx/flag-5zb`) which already invalidated the needed scheme. After searching  time through the deeps of the internet eventually i found a presentation [1] about HostSplitting and normalization of unicode characters. This presentation shows, that not every unicode character is transformed to punycode which helps us a lot. 

At the end of the presentation a list containing some characters which can be transformed to regular ascii is provided. This list contains a special version of `@` which is transformed to its regular ascii version. 

Knowing this special `﹫` the final payload (`http://﹫nginx/flag.php`) can be constructed. Since the first check only normalizes the given host (`﹫nginx`) and `@nginx` obviously wont have the same address like `nginx` the first check is successfully bypassed. In the next step the initial input is transformed resulting in `http://@nginx/flag.php`. Since `@` is used to provide a username and password to pass authentication the URL is valid and the flag can be retrieved.

And finally: `SECCON{what_a_easy_bypass_314208thg0n423g}`

[1] [https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
# Web-SPA (almost solved :()
## Overview
An SPA was given showing all challenges of SECCON CTFs. The file from which the data of the challenges should be loaded was given as URL parameter which we were able to use to load data from arbitrary URLs.

 ## Approach
 Since it was an Vue app the source code was available and we quickly realized that user controlled data (`contestId`) was used to load json files. 
```
methods: {
  async fetchContest(contestId) {
    this.contest = await $.getJSON(`/${contestId}.json`)
  },
  async fetchContests() {
    this.contests = await $.getJSON('/contests.json')
  },
  async onHashChange() {
    const contestId = location.hash.slice(1);
    if (contestId) {
      if (contestId === 'report') {
        this.goReport();
      } else {
        await this.goContest(contestId);
      }
    } else {
      this.goHome();
    }
  },
```

Another fact which was revealed by the source code was the usage of jQuery to load data which will become important later on.
But first we need to find a way to load from any domain and not just the current one. This one can easily be achieved by providing an absolute path (e.g. `evil.com/evil.json`) instead of a relative one. Sadly a regular request to an user controlled server does not reveal anything about the admin and therefore we needed to find another way to exfiltrate the admins cookie.

After searching in the deeps of the web again the jQuery documentation revealed that `$.getJSON` treats a request as  `JSONP` as soon as `callback=` is provided in the URL to request. With JSONP JavaScript code can be returned which is then executed on the client side. Sadly none of us had any prior experience with JSONP and therefore we were not able to trigger this vulnerability.

After the end of the CTF the writeups showed that JSONP was indeed the solution and the with the help of the returned JS the cookie could have been extracted and sent in another request tous.

## Conclusion
So close, yet so far away - never discard an idea just because you do not know the technology used for it.