1 # CTFZone Qualifiers 2019
3 This CTF was quite frustrating because it felt more like guess-work than anything else.
4 At least the web challenges were kinda strange.
8 This challenge presented you a website that proudly presents a chicken farm and award-winning chickens.
9 It showed photos and provided passports that contained the chicken's properties as downloadable file.
11 The first vulnerability was quite easy to spot. The url for the passports to download looked something like this: `web-chicken.ctfz.one/File/Download?filename=My50eHQ=`
12 As you can see quite easily the GET parameter `filename` contained a base64 encoded filename.
13 It was possible to do a path traversal. There was no sanitization on the value of `filename` what so ever.
15 This vulnerability was found about 3 minutes in. In the next few hours the real challenge began. What to retrieve from the server?
17 The HTTP-Response from the server contained a header that hinted to "openresty" webserver which is just nginx with LUA support. But the error page when trying to open a non existent file, showed a ASP.NET core error message.
19 I tried to download any nginx files, but no luck, because it was not a nginx webserver or just a containerized one.
21 So going after the hint of the Asp.NET core service we tried to get interesting files of the service.
23 By extensive googeling and some clever fuuzzing from @lavish we found quite some files.
24 The following is the complete file tree that we found:
56 _CookieConsentPartial.cshtml
61 The python script I wrote and used to retrieve the files is the following:
69 s = requests.session()
70 url = "http://web-chicken.ctfz.one/File/Download?filename={}"
72 def get_file(filename):
73 enc = base64.b64encode(filename.encode()).decode()
74 return s.get(url.format(enc)).text
76 if __name__=='__main__':
78 content = get_file(input("Path: "))
79 print("Content: ",end="")
80 if "<h2 class=\"text-danger\">An error occurred while processing your request.</h2>" in content:
87 The challenge was written using C# and was a MVC project.
88 We couldn't retrieve any `.cs` files. There probably was a filter in place.
90 Getting to this point already took several hours and then I had to leave afterwards.
93 During the CTF I also briefly looked thorugh some other challenges.
94 One of those was "Bathhouse".
96 The challenge description hinted towards being able to make an appointment.
97 The website was about baths that you can book for a certain date and time. There was a web form that included several input fields that you have to provide.
99 I provided some fake information and clicked on the submit button in the believe that there will be some kind of error or warning. But I was greeted by a "Booking successful" message and was greatly confused. I tried some very basic SQLi stuff, but I didn't get anything from it and just left the challenge alone.
101 ### Mememology (OSINT)
102 I also looked through this challenge, but at the time of me deciding to look into it it was already nearly solved. I just provided an idea for the last part of the challenge namly the "video part" and the challenge was solved. @matthias did all the work.
105 This challenge consisted of a webapplication that provided a malware scanner for files. You could upload a file or provide a link where it could be downloaded.
106 The scanned files could then be downloaded from the website again.
108 For me the whole set up screamed SSRF to a local file. I tried providing a webhook link, which worked fine and told me that the used library for the file request was `Python-urllib/3.4` through the request headers.
110 You could only provide an url that starts with `http://` and `https://` so simply using `file://` or `local_file://` wasn't going to work.
112 I remembered the presentation of Orange Tsai about SSRF and URL parsers called "A new Era of SSRF". I tried several strategies from that presentation.
113 These tricks didn't work also they weren't that useful since the protocol was fixed.
115 After that I remembered a challenge that also used nginx and had a SSRF vulnerability which was filtered for nearly everything. I looked it up in the corresponding mattermost channel. It was the challenge `web-Option-Cmd-U` from the CTF `SECCON 2019`. The trick using `http://nginx/...` also didn't work or at least I wasn't good enough at fuzzing the correct file name.