Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : Insomni'hack teaser 2017
- Website : teaser.insomnihack.ch
- Type : Online
- Format : Jeopardy
- CTF Time : link
Description#
smarttomcat - Web - 50 pts - realized by xel/grimmlin
Normal, regular cats are so 2000 and late, I decided to buy this allegedly smart tomcat robot Now the damn thing has attacked me and flew away. I can't even seem to track it down on the broken search interface... Can you help me ?
Solution#
We have a web application like this:
Let's take a look at sources, there is some JavaScript:
1 | [...] |
The interesting line is:
var cat_coords = 'http://localhost:8080/index.jsp?x=' + parseFloat($('#xcoord').val()) + '&y=' + parseFloat($('#ycoord').val());
. So we have one web serve that is a proxy for a web application.
We can see in http headers that the front-end server is Apache/2.4.18 (Ubuntu)
.
The description is suggesting we have a Tomcat web app.
In the javascript we can see var map = new OpenLayers.Map("map");
and OpenLayers
is a class of GeoServer.
What do we have?
- Front-end:
Apache/2.4.18 (Ubuntu)
- Back-end:
Apache Tomcat/7.0.68 (Ubuntu)
- Map-core:
GeoServer
In the javascript we also see if (isNaN(y) || isNaN(x)) {y = 15.2833; x = -4.2667;}
that means the browser won't let us send anything else than numbers in the form. We should use Hackbar or curl.
What to do now? We guessed this is a Tomcat web app so let's find the Tomcat Manager (administration panel for Tomcat web server).
A normal request (POST data) would be:
1 | u=http://localhost:8080/index.jsp?x=42%26y=1337 |
With curl:
1 | & curl --data "u=http://localhost:8080/index.jsp?x=42%26y=1337" http://smarttomcat.teaser.insomnihack.ch/ |
Now let's try to reach the Tomcat Manager page which is usually: http://example.org:8180/manager/html
. Here we have the manager also running on port 8080
.
So with curl:
1 | & curl --data "u=http://127.0.0.1:8080/manager/html/" http://smarttomcat.teaser.insomnihack.ch/ |
With hackbar:
We can see the following error: HTTP Status 401: This request requires HTTP authentication.
This is because we should provide some Basic Auth information.
Default credentials of Tomcat Manager are tomcat:tomcat
.
So the http header for authentication should be Authorization: Basic dG9tY2F0OnRvbWNhdA==
.
The option to pass basic authentication to curl is -u
but doing the following command won't work:
1 | $ curl -u tomcat:tomcat --data "u=http://127.0.0.1:8080/manager/html/" http://smarttomcat.teaser.insomnihack.ch/ |
Because this will provide the authentication to the Apache front-end instead of giving it to the proxyfied Tomcat Manager running on the back-end.
But it's possible to directly provide credentials for basic authentication in the URL, for example: http://user:pass@example.org
.
Let's do it:
1 | $ curl --data "u=http://tomcat:tomcat@127.0.0.1:8080/manager/html/" http://smarttomcat.teaser.insomnihack.ch/ |
The flag was: INS{th1s_is_re4l_w0rld_pent3st}
. No need to find the coordinates.