PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup

Bipul Jaiswal
5 min readFeb 6, 2021

--

Hello Folks,

I’m back with another write-up of challenge which I made in Trollcat CTF which is actually based on DNS Rebinding attack. This attack is quite useful in real-world attack. I was inspired to make this challenge while I was reading a hackerone report. I’ve also published writeup for my another challenge. You can find it here.

Challenge Name: PDF Generator

Category: Web

Organizer: Trollcat

Author: r3curs1v3_pr0xy

PDF Generator

Description — Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don’t know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.

Link: https://pdfgenerator.cscodershub.tech/

Solution:

So if we look at description we get to know there is admin panel running at localhost(127.0.0.1). First of all, we need to understand the working of the page. Here we need to provide a url and the app will convert it into PDF. Pretty easy, huh?

Let’s dig more into it. The description says we need to access admin panel at localhost so why not to provide 127.0.0.1 as url?

The application says “Not that Easy” (xD)

On internet, you’ll get a lot of ways to bypass localhost filter but none of them will work here. So the last option left is to try “DNS Rebinding” method to bypass filter and access admin panel because we know that we have to access localhost only.

What is DNS Rebinding?

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.

This attack can be used to breach a private network by causing the victim’s web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities.

To make explaining this easier, I wrote a small piece of code

import requests
import socket
from banlist import ip_ban
def secureFetch(url):
ipaddr = socket.gethostbyname(url) //url is provided domain name
if ipaddr not in ip_ban:
r=requests.get(url)
return r.text

“You can’t bypass my algorithm”
-pro developer (xD)

How it works:

  • Let’s say function is ran wih url http://hacker.com and ip ban list is ip_ban=[192.168.1.1, 10.10.0.1, 127.0.0.1]
  • First it runs a DNS query with hacker.com which returns 34.213.130.80 which is not in ip_ban list. So if block will execute.
  • In the meantime the DNS record for hacker.com magically changes to 127.0.0.1
  • Now the request is made to http://hacker.com so again somewhere in the requests.get() the dns query is ran again and now with DNS record changed to 127.0.0.1 Soooo there’s nothing stopping us from retrieving localhost 🎉🎉🎉

So that’s the theory behind this whole thing. Pretty primitive right?

Back to the challenge

Since we can’t manually change the dns record in milliseconds as the program runs, we need a custom DNS server configured to somehow figure out what IP should it resolve to and set TTL to 0 so no caching happens on the backend.

You can install an open-source framework for DNS Rebinding or you can use this https://lock.cmpxchg8b.com/rebinder.html for the same purpose. It only takes 2 IPs and resolves between them randomly so You have to send like 10–15 requests to get 1 that actually went to localhost :D

Additional Story

Well, a few players has found a way to get flag in another way too. I already blacklisted all the ways to bypass the filtering but one way is missed by me and few players got that. Let me explain that method too.

We need to create a html file with the code given below and host it on your VPS. If you don’t have VPS then no worries host it on localhost and do port forwarding with ngrok. Google about port forwarding to get more info.

<!DOCTYPE html>
<html>
<head>
<title>PDF Generator</title>
</head>
<body>
<iframe src="http://localhost/" width="700" height="700"></iframe> </body>
</html>

Why this worked??

  • Let’s say this file is hosted at abc.hostedfile.com
  • When a DNS query is made to abc.hostedfile.com, it returns ip4/6 address of abc.hostedfile.com . Let’s the ip be 35.2xx.1xx.89
  • Since this ip is not included into ip_ban list(explained earlier), a request will be made to fetch the content of abc.hostedfile.com.
  • After a successfull request, an iframe is loaded at PDF Generator server with source “http://localhost” and generate pdf of localhost where flag is hosted.

I missed this filter. Anyways, I hope you learned something from this challenge and writeup as it is based on real-world attack.

If you have any queries, feel free to DM me.

Connect with me

Twitter: https://twitter.com/hackw1thproxy

Instagram: https://www.instagram.com/hackwithproxy

--

--