Alienise6 min read

Welcome back on Exploitnetworking! Alienise was a web challenge of SECT CTF 2018, where you abuse of a nginx misconfiguration for get the flag. First step is open the website and inspect the source code:

How you can see there is a link commented, then try to insert this directory in url for see what happened, but the response is 403 error forbidden. Now we can inspect the request using Burp for see the details:

Interesting, there is a redirection, and there is an information disclosure because we have found new directory /static/admin_current.zip. Unfortunately this directory doesn’t work in alienise.se, but work only in the subdomain cdn (thanks to hint on Twitter by @sectctf!). Then type this url: cdn.alieni.se/static/admin_current.zip and download the zip file.

In zip file there is all site admin backup, with two interesting files: creator.py and nginx.conf. In creator.py there is this function:

Copy to Clipboard

that means that the index page output is the flag. But how to reach that directory? Open config.py and see that these server files are the admin “application” that are in the port 81:

Copy to Clipboard

then the flag is print out only if we can reach the home of the admin page! But how? Open the file nginx.conf for inspect it:

Copy to Clipboard

How we can see the server return 403 error if the url is “admin.alieni.se” and ip it is not “10.1.33.7”. But if we look carefully the first condition:

Copy to Clipboard

we can see that there is a “strict” compare, then what happened if we insert “Admin.alieni.se” or “aDmin.alieni.se”? Try to modify host in Burp, and parameter of url and port and execute:

Here there is an interesting book for web security: https://amzn.to/2OmkBMU

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept
2018-09-15T10:24:01+00:00

About the Author:

3 Comments

  1. Tamás 17/09/2018 at 6:42 am - Reply

    Hi! How did you bypass the IP check? (Line 9 in the config file)

    • Daniele Scanu 17/09/2018 at 7:19 am - Reply

      Hi! You have 403 response if $block_me_now is equal to AB. If you set host header parameter to “aDmin.alienise.se” you have bypassed the first condition (then the variabile $block_me_now is equal to “”). With second condition the variabile begin equal to $block_me_now = “” + B (because ${block_me_now} is equal to “” thanks to the first condition) then $block_me_now now is equal to B and not AB.

      • Tamás 17/09/2018 at 7:33 am - Reply

        Oh right, of course, thanks 😀

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.