본문 바로가기

웹해킹/CTF

Nullcon Berlin HackIM 2023 CTF - WEB reguest Writeup

반응형

Nullcon Berlin HackIM 2023 CTF - WEB requests Writeup

1. reguest Writeup

Description

HTTP requests and libraries are hard. Sometimes they do not behave as expected, which might lead to vulnerabilities.

먼저 문제를 풀기 위해 app.py 코드부터 확인해 보자.

 

 

 

app.py

from flask import Flask, Response, request
import requests
import io

app = Flask(__name__)


@app.route('/')
def index():
	s = requests.Session()
	cookies = {'role': 'guest'}

	output = io.StringIO()
	output.write("Usage: Look at the code ;-)\n\n")
	try:
		output.write("Overwriting cookies with default value! This must be secure!\n")
		cookies = {**dict(request.cookies), **cookies}
		headers = {**dict(request.headers)}

		if cookies['role'] != 'guest':
			raise Exception("Illegal access!")

		r = requests.Request("GET", "http://backend:8080/whoami", cookies=cookies, headers=headers)
		prep = r.prepare()

		output.write("Prepared request cookies are: ")
		output.write(str(prep._cookies.items()))
		output.write("\n")
		output.write("Sending request...")
		output.write("\n")
		
		resp = s.send(prep, timeout=2.0)
		
		output.write("Request cookies are: ")
		output.write(str(resp.request._cookies.items()))
		output.write("\n\n")
		if 'Admin' in resp.content.decode():
			output.write("Someone's drunk oO\n\n")
		output.write("Response is: ")
		output.write(resp.content.decode())
		output.write("\n\n")
	except Exception as e:
		print(e)
		output.write("Error :-/" + str(e))
		output.write("\n\n")

	return Response(output.getvalue(), mimetype='text/plain')


if __name__ == "__main__":
	app.run(host='0.0.0.0', port='8080', debug=False)

 

 

 

backend.py

import os
from flask import Flask, request, Response

app = Flask(__name__)


@app.route('/whoami')
def whoami():
	role = request.cookies.get('role','guest')
	really = request.cookies.get('really', 'no')
	if role == 'admin':
		if really == 'yes':
			resp = 'Admin: ' + os.environ['FLAG']
		else:
			resp = 'Guest: Nope'
	else:
		resp = 'Guest: Nope'
	return Response(resp, mimetype='text/plain')

if __name__ == "__main__":
	app.run(host='0.0.0.0', port='8080', debug=False)

간단한 문제다. app.py에서 /backend/whoami 로 요청을 보낼 때 쿠키값을 두 개만 설정하면 된다.

 

 solution

set Cookie

really yes

 

role admin

 

 

728x90