Simple Web 0x14(Lab - Debug)

Posted on | Post modified | In |

Simple Web 0x14(Lab - Debug)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:9020/

Background

Source code

:::spoiler source code

from flask import Flask, request, Response
import urllib.request
import json

app = Flask(__name__)

app.config['FLAG'] = "FL4G{fake_flag}"

@app.route('/')
def index():
    return '''
<form action="/proxy">
    <input type="text" name="url" placeholder="URL">
    <input type="submit">
</form>
<p><a href="/source">Source Code</a> | <a href="/debug">Debug</a></p>
'''

@app.route("/proxy")
def proxy():
    url = request.args.get("url")
    if url is None:
        return "No URL provided"
    if "https://" not in url:
        url = "https://" + url
    try:
        with urllib.request.urlopen(url) as response:
            return response.read()
    except urllib.error.HTTPError as e:
        return str(e)

@app.route("/debug")
def debug():
    # only allow access for localhost
    if request.remote_addr != "127.0.0.1":
        return "Access denied", 403
    return json.dumps(app.config, default=lambda _: None)

@app.route("/source")
def source():
    import re
    source_code = open(__file__).read()
    source_code = re.sub(r'FLAG{.*}', r'FL4G{fake_flag}', source_code, count=1)
    return Response(source_code, mimetype='text/plain')

:::

Analyze

  • /index page It has a blank that can type arbitrary URL and it’ll send to /proxy route page to verify.
  • /proxy page It’ll add https:// if the URL has no the string
  • `/debug` page

    If the request URL is not 127.0.0.1 then it’ll forbidden the request, otherwise, it’ll print the configuration with json type hint: it has loaded the flag in app configuration already, so we just tried to use SSRF to access to /debug.

Exploit - SSRF

We need to bypass https:// constraint and add in our URL like below. Payload: http://127.0.0.1/debug?https://