Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spacesos: add writeup #7

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

spacesos: add writeup #7

wants to merge 1 commit into from

Conversation

notaLonelyDay
Copy link

No description provided.

@b1r1b1r1 b1r1b1r1 requested a review from jnovikov May 3, 2022 17:59
@notaLonelyDay
Copy link
Author

@derlaft @Alagunto @pomo-mondreganto @jnovikov
can someone please review and merge?

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
@@ -0,0 +1,40 @@
# Spacesos Writeup
Есть сервис на дарте, который через `messages.dart` отправляет сообщения на сервис на php. В нём и будут все уязвимости.
## First vulnerability
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name it like 'SSRF vulnerability'

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
chdir("/tmp/messages");
echo file_get_contents(path_normalize($user)) ?? "";
```
Если в имени user будет #, то в `$_GET['user']` вернёт имя без #
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The described method is good, but if you can please explain first the 'original' exploit and you can describe this as a second option (which comes from the one SSRF & no-sanitization problem).

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
echo file_get_contents(path_normalize($user)) ?? "";
```
Если в имени user будет #, то в `$_GET['user']` вернёт имя без #
Получается можно посмотреть все public crashes, нарегать юзеров с таким же именем и #xxxx на конце и мы получим краши юзеров без #xxxx
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reader can misunderstood the sentence like 'the vuln allow you to read public crashes'

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
```
Если в имени user будет #, то в `$_GET['user']` вернёт имя без #
Получается можно посмотреть все public crashes, нарегать юзеров с таким же именем и #xxxx на конце и мы получим краши юзеров без #xxxx
## Second vulnerability
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name it like 'PHP sanitization bypass'

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
@@ -0,0 +1,40 @@
# Spacesos Writeup
Есть сервис на дарте, который через `messages.dart` отправляет сообщения на сервис на php. В нём и будут все уязвимости.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is not true that all the vulns are in the PHP service.

Dart one is the one that should not allow to control the urlstring and causes SSRF.

jnovikov
jnovikov reviewed Jun 13, 2022
View reviewed changes
writeups/spacesos/README.md
}
```
Как мы видим, если username будет путь, то он вырежет все `..`, поэтому по папкам походить не получится, но можно вставить `.`, и тогда будет всё отлично.
Опять же, смотрим public crashes, регаем юзеров с именем xxxxx/./admin и смотрим краши админа.
Copy link
Member

@jnovikov jnovikov Jun 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. should it be xxxx/../admin ?
  2. There is no admin in this service, so it will be good to change like xxxxx/./<user_to_sploit>

@jnovikov
Copy link
Member

Thanks for your contribution.

I want to ask you to improve your writeup before merging.

  1. Pls translate it to English as our CTFs are international.
  2. There are original sploits inside the sploits directory. It would be good to have a consistency with sploit, so I would ask to first explain the original (writeup solution) and add the provided by you as a alternative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnovikov jnovikov jnovikov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@notaLonelyDay @jnovikov