w00tsec: 0CTF 2016 Write Up: Monkey (Web 4)
I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend @danilonc, but it took way longer than it should because of some **Spoiler Alert** DNS glitches. According to the scoreboard status, approximately 35 teams were able to solve it.
Task: Monkey (Web - 4pts)
you can test this problem on your local machine
http://202.120.7.200
The running application receives a Proof-of-Work string and an arbitrary URL, instructing a "monkey" to browse the inputted URL for 2 minutes.
Proof-of-Work
Solving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 against the challenge. The POW challenge was more cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements.
@danilonc had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it:
Solving the Proof-of-Work:
Same-Origin-Policy and CORS
The Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three attributes varies, the resource is in a different origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction.
If you try to use an XMLHttpRequest to send a request to a different origin, you can’t read the response. However, the request will still arrive at its destination. This policy prevents a malicious script on one page from obtaining access to sensitive data (both the header and the body) on another web page, on a different origin.
For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like "Access-Control-Allow-Origin: *", we would be able to retrieve its data with no effort. This, of course, was not the case.
Bypassing the Same-Origin
The flag was accessible on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using BeEF, so we could fingerprint his device, platform, plugins and components.
There was nothing interesting here, a custom user-agent and no known vulnerable component. We enumerated the chars accepted by the server with the following script:
Unfortunately, the server was rejecting special chars like spaces (%20 and +) and there was no command injection signal. Our evil plan to input --disable-web-security $URL to disable Chrome's SOP didn't work so we had to find new ways to retrieve the secrets.
We also thought about using data:uri and file schemes to load a malicious script/webpage, but it wouldn't help us to bypass the SOP. We tried to input URL's like
Source link
-
Donate Via Wallets
-
MetaMask -
Trust Wallet -
Binance Wallet -
WalletConnect
-
-
Popular
Debian Security Advisory 5664-1 – Torchsec April 18, 2024 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5664-1 security@debian.orghttps://www.debian.org/security/… (9)
Google Sues App Developers Over Fake Crypto… April 8, 2024 Apr 08, 2024NewsroomInvestment Scam / Mobile Security Google has filed… (8)- Red Hat Security Advisory 2024-1687-03 – Torchsec April 9, 2024 The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1687.jsonRed Hat officially shut… (8)
- WordPress Travelscape Theme 1.0.3 Arbitrary File… April 8, 2024 # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File… (7)
👥Members
-
🌍 Forum Groups
-
linktr.ee/obewyn
Gloss