From 787d548c8de756a7e7fa57eae8a31d0e8245750c Mon Sep 17 00:00:00 2001 From: Alexander Navratil Date: Sat, 4 Jan 2020 13:29:59 +0100 Subject: [PATCH] add spent time and fix typos --- writeups/devnull/seccon19.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/writeups/devnull/seccon19.md b/writeups/devnull/seccon19.md index 49a6f74..07ced5d 100644 --- a/writeups/devnull/seccon19.md +++ b/writeups/devnull/seccon19.md @@ -23,6 +23,8 @@ def decrypt(key, text): return s ``` +This challenge took me about 45 minutes. + ## web: Option-Cmd-U (solved) A web application written in PHP was given. The source code was available by appending a query param (`?action=source`). This and some other information was given in the source code of the web page. Also the following information was given: `the flag is in /flag.php, which permits access only from internal network`. The purpose of the web application was to download a given web page (entered by the user) and show a highlighted version of the page source (replacement for the browser's "view page source"-function). @@ -34,10 +36,12 @@ if (gethostbyname(idn_to_ascii($parsed_url["host"], 0, INTL_IDNA_VARIANT_UTS46)) } ``` -So my plan was to somehow inject nginx as hostname to get access to the flag.php file. I then tried different weird strings but the all didn't work. The solution (from another teammate) then was to enter a special unicode character which was ignored by the `file_get_contents` function. +So my plan was to somehow inject nginx as hostname to get access to the flag.php file. I then tried different weird strings but they all didn't work. The solution (from another teammate) then was to enter a special unicode character which was ignored by the `file_get_contents` function. flag: `SECCON{what_a_easy_bypass_314208thg0n423g}` +Since this was quite tricky to find a way, it took me about 5 to 6 hours. + ## web: fileserver (solved) Since I like web challenges a lot, I couldn't wait to start the next one. A web application written in ruby using a library called WEBrick. The challenge creator developed a web service using the WEBrick http library. The application provided directory listings for all URLs which ended with a slash. To list all files from a directory, the function Dir.glob was used. Since this function allowed some wildcards, there was some filtering implemented which was the painpoint of the application (As we noticed later during the challenge). For directory listings, actually the following call was issued: `files = Dir.glob(".#{req.path}*")`. The prepending dot made sure that the path is relative. So we could start our request path with a dot so we get something like `../` to traverse back. Since dot's were filtered (resulting in a bad request) this was obsolete. @@ -47,7 +51,7 @@ Since a lot of those weird URLs are getting changed by the browsers automaticall If the request path didn't end with a slash, it was trying to find the given path as a file and serve the file if it exists. The following matching was used: `matches = Dir.glob(req.path[1..])`. Since paths which don't end with a slash could use a dot, we could traverse back to the root here, but the flag name was obfuscated with a random string so it was hard to figure out the exact path. -A teammate then found out that we could enter a null byte (URI escaped) before the path. Using this trick, we were able to get a directory listing of `/tm/flags` which contained the obfuscated filename of the the flag file. We then thought, that we solved the challenge because the final url would just be: `fileserver.chal.seccon.jp:9292/%00/tmp/flags/#{SecureRandom.alphanumeric(32)}.txt` +A teammate then found out that we could enter a null byte (URI escaped) before the path. Using this trick, we were able to get a directory listing of `/tmp/flags` which contained the obfuscated filename of the the flag file. We then thought, that we solved the challenge because the final url would just be: `fileserver.chal.seccon.jp:9292/%00/tmp/flags/#{SecureRandom.alphanumeric(32)}.txt` But we were wrong, because the file name can't contain any null byte. So we looked again at the source code to find some other bugs. We then looked very detailed at the filtering function for the glob wildcards. @@ -85,3 +89,5 @@ The final URL was then: `fileserver.chal.seccon.jp:9292/%7B/tmp/flags/