One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300157 |
| Date de publication | 2016-03-15 19:09:18 (vue: 2023-01-11 16:56:00) |
| Titre | 0CTF 2016 Write Up: Monkey (Web 4) |
| Texte | The Chinese 0CTF took place on March 12-13 and it was yet another fun CTF. I played with my teammates from TheGoonies and we were ranked #48.I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend @danilonc, but it took way longer than it should because of some **Spoiler Alert** DNS glitches. According to the scoreboard status, approximately 35 teams were able to solve it.Task: Monkey (Web - 4pts)What is Same Origin Policy?you can test this problem on your local machinehttp://202.120.7.200The running application receives a Proof-of-Work string and an arbitrary URL, instructing a "monkey" to browse the inputted URL for 2 minutes. Proof-of-WorkSolving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 against the challenge. The POW challenge was more cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements.@danilonc had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it: Solving the Proof-of-Work: Same-Origin-Policy and CORSThe Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three attributes varies, the resource is in a different origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction.If you try to use an XMLHttpRequest to send a request to a different origin, you can't read the response. However, the request will still arrive at its destination. This policy prevents a malicious script on one page from obtaining access to sensitive data (both the header and the body) on another web page, on a different origin.For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like "Access-Control-Allow-Origin: *", we would be able to retrieve its data with no effort. This, of course, was not the case.Bypassing the Same-OriginThe flag was accessible on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using BeEF, so we could fingerprint his device, platform, plugins and components. |
| Envoyé | Oui |
| Condensat | #48 $url **spoiler 0ctf 120 127 1:8080/secret 200the 2016 4pts @danilonc @mikispag able about accepted access accessible according addresses against agent alert** allow also and and an another answer any application approximately arbitrary are arises arrive attack attack:after attributes banananananananaaaa based bash/python because become beef bind body both breach browse browser browsers bruteforce but bypass bypassing came can case challenge challs change chars chinese chrome class com:8080 come command compare component components conclusion control converting cors corsthe could couple course cpu ctf custom data data:uri deciding deems defcon delivery describing destination detailed device devttys0 diagram did didn different disable discussion dns domain duckdns effort enabling enumerated evil example file file:///proc/self/environ finally find fingerprint first flag flag:flag: 0ctf following for found free friend from fun generate get glitches glitchy got hack had having header headers help hence here his hook hooked hooking hosted hostname how however html http http://127 http://ctf improvements injection input input inputted insecure instructing intensive interact interesting interesting: internal into involves issues it: its javascript just known life like likes liner lines load local longer low machinehttp://202 make malicious managed march md5 minimum minutes miserable modern modified module monkey more name namecheap names needed new normal not nothing obscure obtaining older one only: order origin origin: originthe our own page pages particular particularly passwords perform performance phaseafter place plan platform played plugins policy port possibility post pow presented pretty prevents primarily problem proof provided quick random ranked read reason rebind rebinding rebindingafter receives recently record rejecting replaced request requests require residing resource resources response restriction restrictions retrieve running same scenario:1 scheme schemes scoreboard script script/webpage script: scripts sec seconds secret secrets security segregations send sensitive server service services set setting should signal site slightly small solve solved solving some soon sop spaces special status steal still straightforward string strings task task: teammates teams technique test than that the thegoonies there these they thing this thought three time took traditional tried tries try ttl two ultimate unable unfortunately up: uri url use used user using varies very visits vulnerabilities vulnerable was way ways web webpage webserver website were what when whereas wifi will with without work work:same worksolving would wouldn write written wrote xmlhttprequest yet you your zombie zone |
| Tags | Hack |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.