This marks challenge 22 of 24, this means there’s only two more challenges to go before the end of this CTF event. The goal in this particular challenge is to leverage an SSRF vulnerability to access files that are available through the loopback interface (127.0.0.1 or localhost).
Let’s first start off by reading the challenge description to see if there’s specific areas to watch out for. Upon opening the challenge we are presented with the following:
Apparently there’s a new service, we can view Santa’s favorite pictures, how nice! Also, here we can see that the flag is located in flag.php in the current working directory of the web application. Let’s navigate to the URL of the challenge, upon doing so we are greeted by the web page pictured below.
Just text, so much for a big reveal.. As we can see the “Is this santa?” text is colored purple, which usually indicates a hyperlink. If we hover over the text we can see that the link redirects to https://22.adventofctf.com/index.php?image=cat.jpg. Let’s follow the redirect, upon doing so we are greeted by this cute kitty.
There’s nothing of interest on this page other than this adorable cat, let’s intercept this GET-request using Burp.
Upon intercepting the request we can see that the image of the cat has been included in the response and it’s base64 encoded. The interesting thing here is that the image is included as data. At this point I tried loads of LFI payloads to see if I could include the flag.php using the image= parameter but that didn’t seem to work, I kept receiving the following error:
After some searching online I found out what the function file_get_contents actually did and what was possible with it. It’s possible to retrieve the source of the homepage within the file_get_contents function. An example of the code is given below.
So how can we leverage this to include remote files on the web server? Well we can try to set the image= parameter to point to the URL of the index.php page using some basic SSRF (Server Side Request Forgery). A brief explanation of SSRF: “Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server”. Let’s give this a try shall we?!
As seen above we have tried to include the index.php file by leveraging the services that are available through the loopback interface. This vulnerability arises because internal IP’s are most often trusted in networks. It’s also possible to specify 127.0.0.1 or localhost, 0x7f000001 is just a different notation for the loopback interface which often gets used to bypass filters. Let’s now confirm that we really did include the index.php file by decoding the base64 encoded response.
In the picture above we can see that this is indeed the page that is given on the homepage because we can see the hyperlink to the cat image. Now that we have identified the vulnerability let’s get our flag by including the flag.php file.
We confirm the we have gotten a response from the web server, we have a small base64 encoded string so let’s decode that and see what the contents are.
Challenge solved, there is our flag! Let’s submit it so we can get our points. Thanks for reading and happy hacking!
