This last october weekend i participated in cyber jawara international with team "swusjask fans club" we manage to secure 2nd position in the event.I personally contributed in solving 2 challs of web.
Example Box
Category
Points
Author
Web; whitebox
495
farisv
Code Analysis
Here is the main code that provided
from flask import Flask, abort, render_template, request, Response
from re import sub
from unidecode import unidecode
from urllib3.util import parse_url
import requests
app = Flask(__name__)
allowed_hostname = ["example.com"]
allowed_path = ["", "/"]
fallback = "http://example.com/"
cache = {}
def normalize(token):
if token == None:
token = ""
return sub(r'\s+', '', unidecode(str(token)))
def filter_url(url):
parsed_url = parse_url(url)
scheme = normalize(parsed_url.scheme) # http
host = normalize(parsed_url.host)
path = normalize(parsed_url.path)
filtered_url = url
if not scheme.startswith('http'):
filtered_url = fallback
if not host in allowed_hostname:
filtered_url = fallback
if not path in allowed_path:
filtered_url = fallback
return normalize(filtered_url)
@app.route('/', methods=['GET', 'POST'])
def index():
url = request.form.get('url', '')
return render_template('index.html', url=url)
@app.route('/fetch_url')
def fetch_url():
url = request.args.get('url')
filtered_url = filter_url(url)
print("request from: ", request.remote_addr)
# print("cache now: ")
try:
if filtered_url in cache:
response = cache[filtered_url]
else:
response = requests.get(filtered_url)
cache[filtered_url] = response
return Response(response.content,
status=response.status_code,
content_type=response.headers.get('Content-Type'))
except requests.exceptions.RequestException as e:
return f"Error fetching the URL: {e}", 500
@app.route('/flag')
def flag():
if request.remote_addr != '127.0.0.1':
abort(403)
with open('/flag.txt', 'r') as flag:
return flag.read()
if __name__ == '__main__':
app.run(debug=False, host='0.0.0.0', port=20002)
Reviewing the code we know that, this must be related to ssrf but there is some url parsing filter that we should bypass. Although the code looks very simple but i found that its really tricky to bypass.
Our objective is to access path flag with 127.0.0.1 remote addres http://127.0.01/flag
flag():
if request.remote_addr != '127.0.0.1':
abort(403)
with open('/flag.txt', 'r') as flag:
return flag.read()
Reviewing the code the normalize function is to check if there is whitespace or any unicode in the url.
filter_url is check for the whitelist.
def filter_url(url):
parsed_url = parse_url(url)
scheme = normalize(parsed_url.scheme) # http
host = normalize(parsed_url.host)
path = normalize(parsed_url.path)
filtered_url = url
if not scheme.startswith('http'):
filtered_url = fallback
if not host in allowed_hostname:
filtered_url = fallback
if not path in allowed_path:
filtered_url = fallback
return normalize(filtered_url)
the challenge is we need to bypass parse_url and fallback overwrite, to perform this there is a good reads that that i found for bypassing the parse_url() in python.
Yepp we can use @ to bypass the parse_url,
Exploitation
Because there are some whitelist so we need to use it to perform SSRF
I perform some test code to debug the website and see how the parsed works
We can see we have finally bypass the parse_url and fallback. but the request python still accepting our request as example.com
the problem is if we access the path flag manually like this http://127.0.0.1/flag@example.com the parse will works again and our input will be only example.com.
So we need to use unicode because normalize function and we are using ? for the reuqest to not accessing path @example.com.
In this challenge our team work together to solve the challenge. Thanks to @daffainfo who find the initial foothold of the challenge we can continue the challenge and manage to solve 1 hour before the CTF ends.
Blackbox
We are given a service and there is no code provided so it should be blackbox challenge. There is only register and login to the dahsboard and nothing special with other feature of the service.
Our team found that we can see java stack trace in assets path. After that we started by doing some enumeration there.
If we're accessing assets the error given is java.lang.StringIndexOutOfBoundsException accessing But if we are accessing something like this the error given is different, it look like failed to get some resouce in the server we consider that is trying to access file in the server.
Exploitation
After some time we find a good article expalaing about some new release CVEs
But even is simmiliar we didnt find the real objective and still struggling, then several time my team friend got something like this
After that From here, i figue out why not trying to access the path traversal like in java folder as usual im asking chat gpt for that and yep we found 200 status. But we didnt manage to get Main Controller at first.
We forgot that is being compiled so its not .java but .class here is the code we find
Analyzing the source code is obvious we need to access admin to get the flag so we need to construct our jwt but we need the jwt secret key. We found it in:
