Simple Web 0x13(Lab - SSRFrog)

Posted on | Post modified | In |

Simple Web 0x13(Lab - SSRFrog)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8501/

Background

Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
const express = require("express");
const http = require("http");

const app = express();

app.get("/source", (req, res) => {
    return res.sendFile(__filename);
})
app.get('/', (req, res) => {
    const { url } = req.query;
    if (!url || typeof url !== 'string') return res.sendFile(__dirname + "/index.html");

    // no duplicate characters in `url`
    if (url.length !== new Set(url).size) return res.sendFile(__dirname + "/frog.png");

    try {
        http.get(url, resp => {
            resp.setEncoding("utf-8");
            resp.statusCode === 200 ? resp.on('data', data => res.send(data)) : res.send(":(");
        }).on('error', () => res.send("WTF?"));
    } catch (error) {
        res.send("WTF?");
    }
});

app.listen(3000, '0.0.0.0');
  • Simply speaking, it’ll call a Set() object that will filter duplicate characters
  • We also can find the hint in page source

Exploit

  1. The hint said flag is on http://the.c0o0o0l-fl444g.server.internal:80, so we need to meet the first requirement - every single character is unique.

    We can use Domain Obfuscator to replace the similar characters.

  2. Payload

    • htTp:/\ⓉₕE.ℭ⓪ᴼ₀o0Ⅼ-Ⓕl₄44ⓖ。ₛⒺʳⓋₑⓇ.㏌ₜeᴿ㎁ˡ
    • htTp:/\ⓉhE。Ⅽ⁰ₒ0O0ℓ-fᴸ④4⁴G.SERvⅇⓡ.ⁱNtₑrnAℒ

Reference