search

Web - The Cyber Jawara International 2024

This last october weekend i participated in cyber jawara international with team "swusjask fans club" we manage to secure 2nd position in the event.I personally contributed in solving 2 challs of web.

hashtag
Example Box

Category
Points
Author

Web; whitebox

495

farisv

hashtag
Code Analysis

Here is the main code that provided

from flask import Flask, abort, render_template, request, Response
from re import sub
from unidecode import unidecode
from urllib3.util import parse_url
import requests

app = Flask(__name__)

allowed_hostname = ["example.com"]
allowed_path = ["", "/"]
fallback = "http://example.com/"
cache = {}

def normalize(token):
    if token == None:
        token = ""
    return sub(r'\s+', '', unidecode(str(token)))

def filter_url(url):
    parsed_url = parse_url(url)
    scheme = normalize(parsed_url.scheme) # http
    host = normalize(parsed_url.host)
    path = normalize(parsed_url.path)
    filtered_url = url
    if not scheme.startswith('http'):
        filtered_url = fallback
    if not host in allowed_hostname:
        filtered_url = fallback
    if not path in allowed_path:
        filtered_url = fallback
    return normalize(filtered_url)

@app.route('/', methods=['GET', 'POST'])
def index():
    url = request.form.get('url', '')
    return render_template('index.html', url=url)

@app.route('/fetch_url')
def fetch_url():
    url = request.args.get('url')
    filtered_url = filter_url(url)
    print("request from: ", request.remote_addr)
    # print("cache now: ")
    try:
        if filtered_url in cache:
            response = cache[filtered_url]
        else:
            response = requests.get(filtered_url)
            cache[filtered_url] = response
        return Response(response.content,
                        status=response.status_code,
                        content_type=response.headers.get('Content-Type'))
    except requests.exceptions.RequestException as e:
        return f"Error fetching the URL: {e}", 500

@app.route('/flag')
def flag():
    if request.remote_addr != '127.0.0.1':
        abort(403)
    with open('/flag.txt', 'r') as flag:
        return flag.read()

if __name__ == '__main__':
    app.run(debug=False, host='0.0.0.0', port=20002)

Reviewing the code we know that, this must be related to ssrf but there is some url parsing filter that we should bypass. Although the code looks very simple but i found that its really tricky to bypass.

Our objective is to access path flag with 127.0.0.1 remote addres http://127.0.01/flag

Reviewing the code the normalize function is to check if there is whitespace or any unicode in the url.

filter_url is check for the whitelist.

the challenge is we need to bypass parse_url and fallback overwrite, to perform this there is a good reads that that i found for bypassing the parse_url() in python.

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdfarrow-up-right

Yepp we can use @ to bypass the parse_url,

hashtag
Exploitation

Because there are some whitelist so we need to use it to perform SSRF

I perform some test code to debug the website and see how the parsed works

We can see we have finally bypass the parse_url and fallback. but the request python still accepting our request as example.com

the problem is if we access the path flag manually like this http://127.0.0.1/flag@example.com the parse will works again and our input will be only example.com.

So we need to use unicode because normalize function and we are using ? for the reuqest to not accessing path @example.com.

So here is the full payload:

http://127.0.0.1:20002/ⓕⓛⓐⓖ?@example.comarrow-up-right

Flag: CJ{enough_with_example.com_here_is_your_nice_Phl4g!}

hashtag
Java Box

Category
Points
Author

Java Box; blackbox

499

farisv

In this challenge our team work together to solve the challenge. Thanks to @daffainfo who find the initial foothold of the challenge we can continue the challenge and manage to solve 1 hour before the CTF ends.

hashtag
Blackbox

We are given a service and there is no code provided so it should be blackbox challenge. There is only register and login to the dahsboard and nothing special with other feature of the service.

Our team found that we can see java stack trace in assets path. After that we started by doing some enumeration there.

If we're accessing assets the error given is java.lang.StringIndexOutOfBoundsException accessing But if we are accessing something like this the error given is different, it look like failed to get some resouce in the server we consider that is trying to access file in the server.

hashtag
Exploitation

After some time we find a good article expalaing about some new release CVEs

https://attackerkb.com/assessments/25397f72-670e-4ef4-a19b-2a3a55120d18?referrer=profilearrow-up-right

But even is simmiliar we didnt find the real objective and still struggling, then several time my team friend got something like this

After that From here, i figue out why not trying to access the path traversal like in java folder as usual im asking chat gpt for that and yep we found 200 status. But we didnt manage to get Main Controller at first.

We forgot that is being compiled so its not .java but .class here is the code we find

com.cyberjawara.chall.web.javabox.controller.MainController

Analyzing the source code is obvious we need to access admin to get the flag so we need to construct our jwt but we need the jwt secret key. We found it in:

com.cyberjawara.chall.web.javabox.util.JwtUtil.class

the key we found: c31bcd4ffcff8e971a6ad6ddcbdc613a1246f4223c00fa37404b501ad749257c

From here we struggle a little bit changing the jwt.io but our tem found that we need to use token.dev for the jwt thanks to @Lyyn

Then we change the jwt for the win :)

Flag: CJ{black_box_web_testing_is_not_that_bad_and_too_guessy_right?}

PreviousWelcomeNextHTB university 2024

Last updated