Advent of CTF: Challenge 22 Write-Up

b1tsec
4 min readDec 23, 2020

--

This marks challenge 22 of 24, this means there’s only two more challenges to go before the end of this CTF event. The goal in this particular challenge is to leverage an SSRF vulnerability to access files that are available through the loopback interface (127.0.0.1 or localhost).

Figure 1: Challenge badge

Let’s first start off by reading the challenge description to see if there’s specific areas to watch out for. Upon opening the challenge we are presented with the following:

Figure 2: Challenge description

Apparently there’s a new service, we can view Santa’s favorite pictures, how nice! Also, here we can see that the flag is located in flag.php in the current working directory of the web application. Let’s navigate to the URL of the challenge, upon doing so we are greeted by the web page pictured below.

Figure 3: Index.php

Just text, so much for a big reveal.. As we can see the “Is this santa?” text is colored purple, which usually indicates a hyperlink. If we hover over the text we can see that the link redirects to https://22.adventofctf.com/index.php?image=cat.jpg. Let’s follow the redirect, upon doing so we are greeted by this cute kitty.

Figure 4: Redirect

There’s nothing of interest on this page other than this adorable cat, let’s intercept this GET-request using Burp.

Figure 5: Intercepted request

Upon intercepting the request we can see that the image of the cat has been included in the response and it’s base64 encoded. The interesting thing here is that the image is included as data. At this point I tried loads of LFI payloads to see if I could include the flag.php using the image= parameter but that didn’t seem to work, I kept receiving the following error:

Figure 6: Error

After some searching online I found out what the function file_get_contents actually did and what was possible with it. It’s possible to retrieve the source of the homepage within the file_get_contents function. An example of the code is given below.

Figure 7: File_get_contents example

So how can we leverage this to include remote files on the web server? Well we can try to set the image= parameter to point to the URL of the index.php page using some basic SSRF (Server Side Request Forgery). A brief explanation of SSRF: “Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server”. Let’s give this a try shall we?!

Figure 8: Including the index.php file

As seen above we have tried to include the index.php file by leveraging the services that are available through the loopback interface. This vulnerability arises because internal IP’s are most often trusted in networks. It’s also possible to specify 127.0.0.1 or localhost, 0x7f000001 is just a different notation for the loopback interface which often gets used to bypass filters. Let’s now confirm that we really did include the index.php file by decoding the base64 encoded response.

Figure 9: Decoded index.php file

In the picture above we can see that this is indeed the page that is given on the homepage because we can see the hyperlink to the cat image. Now that we have identified the vulnerability let’s get our flag by including the flag.php file.

Figure 10: Encoded flag.php file

We confirm the we have gotten a response from the web server, we have a small base64 encoded string so let’s decode that and see what the contents are.

Figure 11: Flag

Challenge solved, there is our flag! Let’s submit it so we can get our points. Thanks for reading and happy hacking!

--

--

No responses yet