INSANE CTF.ZONE:: WEB-CARD explained

Fig. 1. Landing
Fig. 2. The original response

STAGE 1

First attempt: XXE through request body

Fig. 3. Checking XXE with file-scheme
Fig. 4. Checking XXE with http-scheme
  • There’s some XML processing with a standard Java SAX parser from javax.xml.* (standard error messages).
  • file and http (https) schemes are not allowed for general entities.
  • The Java web-application possibly uses Spring (standard JSON-object format for Internal Server Error).

Second attempt: Fuzzing payload format

Fig. 5. Attempt to inject tags into attribute value
Fig. 6. Attempt to send invalid string value for field with type int
Fig. 7. Attempt to send random string as a value of type-attribute for field

Endpoint discovery

Fig. 8. Dirbusting with Burp Suite Intruder (why not? 🙂)
Fig. 9. Checking /dev/api/render

Third attempt: Fuzzing payload format through developers’ endpoint

Fig. 10. Attempt to inject tags into attrubute value
Fig. 11. Attempt to send random string as a value of type-attribute for field
Fig. 12. Attempt to send invalid string value for field with type int
Fig. 13. Executing Python code with eval function

Investigating server through RCE

Searching for information

  1. bottle.py — the Bottle, a single file web framework for Python.
  2. card_render — an application folder with source files
  3. network-hint.md — a file with a hint:
{internet} -> 80:[front] -> 4041:[waf]{FLAG is here} -> 3031:[app]
|
|
------> 3031:[app-dev]

Network connectivity

Results

  1. app is a Python web application that renders SVG and has an RCE vulnerability.
  2. app-dev is an instance of app, but for testing purposes.
  3. waf is a Java web application that validates requests for app and makes the app's RCE not exploitable.
  4. FLAG for this challenge is stored on the waf machine.

STAGE 2

WAF Bypass

Playing with invalid XML document

STAGE 3

Searching vectors to WAF

  1. hidden vulnerable endpoint/service that is only accessible from the internal network
  2. XML processing of SVG-response from the app

Attack on the way back

  1. There is a response validation by SVG schema (tests 1, 5, 6, 7).
  2. During response validation, waf resolves external entities and allows external HTTP requests (test 3).
  3. Invalid attribute value for SVG element rect is reflected in the response error message (test 7).
172.42.73.7 - [11/Feb/2021 03:13:37] 
"GET /?ctf.zone{78806158f1928b18ec1a583c0b9b82c5} HTTP/1.1" 200 -

The whole chain

Fig. 14. The whole chain of exploitation

BONUS: Original design w/o simplification :)

Fig. 15. The original chain of exploitation

Credits

--

--

--

International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Bitbucket repositoty status badges!

Deploy Jekyll in Heroku with Custom Domain

Connect to AWS Athena using Datagrip

Flutter App Development- A New Kid on The Block of Hybrid App Frameworks

Kairos: How to Generate NFT Collections without any code

Hello 👋 Thanks for adding my article in your list.

How African urbanization and auto scaling of Qlik Core can be combined to something great

Upgrading old Rails 4.0 to Rails 6 with webpacker and React

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
OFFZONE

OFFZONE

International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.

More from Medium

VulnHub: HarryPotter: Nagini

Day 7: Cross site scripting (XSS)

Nullbyte-1: Vulnhub Walkthrough

Reverse Shell using Ngrok