반응형
Nullcon Berlin HackIM 2023 CTF - WEB requests Writeup
1. reguest Writeup
Description
HTTP requests and libraries are hard. Sometimes they do not behave as expected, which might lead to vulnerabilities.
먼저 문제를 풀기 위해 app.py 코드부터 확인해 보자.
app.py
from flask import Flask, Response, request
import requests
import io
app = Flask(__name__)
@app.route('/')
def index():
s = requests.Session()
cookies = {'role': 'guest'}
output = io.StringIO()
output.write("Usage: Look at the code ;-)\n\n")
try:
output.write("Overwriting cookies with default value! This must be secure!\n")
cookies = {**dict(request.cookies), **cookies}
headers = {**dict(request.headers)}
if cookies['role'] != 'guest':
raise Exception("Illegal access!")
r = requests.Request("GET", "http://backend:8080/whoami", cookies=cookies, headers=headers)
prep = r.prepare()
output.write("Prepared request cookies are: ")
output.write(str(prep._cookies.items()))
output.write("\n")
output.write("Sending request...")
output.write("\n")
resp = s.send(prep, timeout=2.0)
output.write("Request cookies are: ")
output.write(str(resp.request._cookies.items()))
output.write("\n\n")
if 'Admin' in resp.content.decode():
output.write("Someone's drunk oO\n\n")
output.write("Response is: ")
output.write(resp.content.decode())
output.write("\n\n")
except Exception as e:
print(e)
output.write("Error :-/" + str(e))
output.write("\n\n")
return Response(output.getvalue(), mimetype='text/plain')
if __name__ == "__main__":
app.run(host='0.0.0.0', port='8080', debug=False)
backend.py
import os
from flask import Flask, request, Response
app = Flask(__name__)
@app.route('/whoami')
def whoami():
role = request.cookies.get('role','guest')
really = request.cookies.get('really', 'no')
if role == 'admin':
if really == 'yes':
resp = 'Admin: ' + os.environ['FLAG']
else:
resp = 'Guest: Nope'
else:
resp = 'Guest: Nope'
return Response(resp, mimetype='text/plain')
if __name__ == "__main__":
app.run(host='0.0.0.0', port='8080', debug=False)
간단한 문제다. app.py에서 /backend/whoami 로 요청을 보낼 때 쿠키값을 두 개만 설정하면 된다.
solution
set Cookie
really | yes |
role | admin |
728x90
'웹해킹 > CTF' 카테고리의 다른 글
wolvctf Charlotte's Web Writeup (0) | 2023.03.20 |
---|---|
Nullcon Berlin HackIM 2023 CTF - WEB zpr Writeup (0) | 2023.03.12 |
kalmarctf forensic sewing-waste-and-agriculture-leftovers Writeup (0) | 2023.03.06 |
KnightCTF 2023 Web - Knight Search Writeup (0) | 2023.01.24 |
knightCTF 2023 Web - GET Me Writeup (0) | 2023.01.23 |