CTFtime.org

Svgmagic

by aaditya_purani / dcua

Rating: 5.0

# PNGSVG

Category: Web

First, I checked whether there is a possibility for `ImageTragick` vulnerability. Next, I tried using `img` to fetch external image hosted on my server. Which gave me a hit with user-agent `CairoSVG`.

`CairoSVG 2.3.0` is the latest version and is only compatible in python. There were 2 (or 3 although not a framework) good candidates for framework - Flask and Django. Third one being `SimpleHTTPServer` to serve files.

First, we need to get either RCE or XXE. I thought to first target for XXE.

```xml
]>
<svg height="300" width="200">
<text x="0" y="15" fill="red">test &xx;; test</text>
</svg>
```

It will generate a png with the content of passwd. But, the image is too small to fit everything. Hence, you can tweak the width parameter to make it wider. The max amount of it was 34,000 as after that the server used to timeout while conversion
So, keeping it 20,000 should do the job.

Hence, now we have to arbitrary file read. It's not well RCE so I cannot list out the file name. So, we can either guess the flag path or either file the directories.

First things First,

I checked `/etc/passwd` which had `/home/svgmagic` . Hence the following was tried next

```
/home/svgmagic/flag.txt
/home/flag.txt
/flag.txt
/var/flag.txt
/tmp/flag.txt
/var/www/html/flag.txt
/var/www/flag.txt
```

Still no success. Hence, we need to try harder. I suspected the flag being in the current working directory. To find current working directory. We have to first find process-id of the current process & then do
`/proc/<pid>/cwd/`.

I dumped `/proc/self/status` which gave me pid of the current running process. The process was `Gunicorn` which is used to serve flask files.

The process id was 28. Hence, I tried `/proc/28/cwd/flag.txt` , nope no luck. Apparently, we dumped all the proc files & docker files with no success.

Then suddenly, we crafted a payload

```xml
]>
<svg height="300" width="3000">
<text x="0" y="15" fill="red">test &xx;; test</text>
</svg>
```

After processing that to PNG, It gave us the flag.

#### CTF{haha_no_imagemagick_sorry}

Original writeup (https://github.com/aadityapurani/My-CTF-Solutions/tree/master/bsidessf-2019/pngsvg).

Comments