niedziela, 21 września 2014

CSAW CTF Web300 writeup

In this post I want to show my solution for CSAW CTF - Web300. This is the service, where we are able to post some links, that are parsed by bot, and looks like this:



There are two important things about this task. First of all, we can notice that page using jquery 1.6.1 (which prone to XSS - CVE-2011-4969) - and serving this kind of code:

The other thing is that bot is based on PhantomJS, so there's a chance, that it interprete javascript on page just like normal browser. ;)

My first shot after connecting those two facts was to exploit XSS on bot, and steal the cookies. It was correct and gave me a flag - these_browser_bots_are_annoying :-)




Pretty simple. doesn't it? :)

piątek, 5 września 2014

GetClouder domain takeover

GetClouder is cloud hosting service having bug bounty program. In Administration Panel we have some domain management tool for hosting our own domain names. After adding ANY domain - zone is configured on two DNS servers: nimbus.getclouder.com and cumulus.getclouder.com - even if we are not owner of the domain. 



If you get NS records for getclouder.com domain, you'll see that it's hosted on same servers:

zoczus@hell:~$ host -t ns getclouder.com
getclouder.com name server nimbus.getclouder.com.
getclouder.com name server cumulus.getclouder.com.

So my first try was trying to add getclouder.com domain - of course it failed. ;)


Then - I tried to search if GetClouder have any other interesting domains. Here's what I found:


In short - yes, they have other domains. One of interesting - clouder.us or getclouder.info are hosted on ns1.clev1.net and ns2.clev1.net. Now - just check the IP addresses of this servers:

zoczus@hell:~$ host ns1.clev1.net
ns1.clev1.net has address 181.224.128.6
zoczus@hell:~$ host ns2.clev1.net
ns2.clev1.net has address 198.20.77.76
zoczus@hell:~$ host nimbus.getclouder.com
nimbus.getclouder.com has address 181.224.128.6
zoczus@hell:~$ host cumulus.getclouder.com
cumulus.getclouder.com has address 198.20.77.76


So we have few other possibilities to check. I tried to add clev1.net, it failed - but adding ns1.clev1.net - not. :) Win?



Yup - it was deffinetly win. 

zoczus@hell:~$ host wow.ns1.clev1.net
wow.ns1.clev1.net has address 1.2.3.4
zoczus@hell:~$ dig +trace ns1.clev1.net

; <<>> DiG 9.8.3-P1 <<>> +trace ns1.clev1.net
;; global options: +cmd
. 85638 IN NS l.root-servers.net.
. 85638 IN NS b.root-servers.net.
. 85638 IN NS k.root-servers.net.
. 85638 IN NS j.root-servers.net.
. 85638 IN NS i.root-servers.net.
. 85638 IN NS a.root-servers.net.
. 85638 IN NS m.root-servers.net.
. 85638 IN NS h.root-servers.net.
. 85638 IN NS e.root-servers.net.
. 85638 IN NS f.root-servers.net.
. 85638 IN NS d.root-servers.net.
. 85638 IN NS c.root-servers.net.
. 85638 IN NS g.root-servers.net.
;; Received 241 bytes from 62.21.99.94#53(62.21.99.94) in 122 ms

net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
;; Received 488 bytes from 202.12.27.33#53(202.12.27.33) in 132 ms

clev1.net. 172800 IN NS ns1.clev1.net.
clev1.net. 172800 IN NS ns2.clev1.net.
;; Received 95 bytes from 192.55.83.30#53(192.55.83.30) in 167 ms

ns1.clev1.net. 86400 IN A 8.8.4.4
ns1.clev1.net. 86400 IN A 8.8.8.8
ns1.clev1.net. 86400 IN NS cumulus.getclouder.com.
ns1.clev1.net. 86400 IN NS nimbus.getclouder.com.
;; Received 152 bytes from 181.224.128.6#53(181.224.128.6) in 174 ms

We have full control of ns1.clev1.net - so everyone asking for - let's say - clouder.us will got response about it's hosted on ns1.clev1.net (and ns2.clev1.net) which points to IP addresses controled by us.

The second vulnerability was ability to add root-servers.net zone. 


After adding just 3 root servers (a,b,c), pointing it to IP with DNSChef on board, and waiting few minutes this is what I got:


As GetClouder told me - it was result of one tool for checking if customer's domains are still pointed to its nameservers.

I want to thank GetClouder security team for realy fast responses and the way how they did treat me as researcher. That was one of my best bounty experiences :)