I’m back with another write-up of challenge which I made in Trollcat CTF which is actually based on DNS Rebinding attack. This attack is quite useful in real-world attack. I was inspired to make this challenge while I was reading a hackerone report. I’ve also published writeup for my another challenge. You can find it here.
GitLab disclosed on HackerOne: Server Side Request Forgery...
Summary This vulnerability allows attacker to send arbitrary requests to local network which hosts GitLab and read the…
Challenge Name: PDF Generator
Description — Recently Elliot got a job as a web developer. He got a project to create a website that converts webpage into pdf but he don’t know about the web app security and somehow hackers got access to admin panel content running locally. As a pentester, we need to find the flaw in the app to see admin panel.
So if we look at description we get to know there is admin panel running at localhost(127.0.0.1). First of all, we need to understand the working of the page. Here we need to provide a url and the app will convert it into PDF. Pretty easy, huh?
Let’s dig more into it. The description says we need to access admin panel at localhost so why not to provide 127.0.0.1 as url?
The application says “Not that Easy” (xD)
On internet, you’ll get a lot of ways to bypass localhost filter but none of them will work here. So the last option left is to try “DNS Rebinding” method to bypass filter and access admin panel because we know that we have to access localhost only.
What is DNS Rebinding?
DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.
This attack can be used to breach a private network by causing the victim’s web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities.
To make explaining this easier, I wrote a small piece of code
from banlist import ip_bandef secureFetch(url):
ipaddr = socket.gethostbyname(url) //url is provided domain name
if ipaddr not in ip_ban:
“You can’t bypass my algorithm”
-pro developer (xD)
How it works:
- Let’s say function is ran wih url
http://hacker.comand ip ban list is ip_ban=[192.168.1.1, 10.10.0.1, 127.0.0.1]
- First it runs a DNS query with hacker.com which returns 220.127.116.11 which is not in ip_ban list. So if block will execute.
- In the meantime the DNS record for hacker.com magically changes to 127.0.0.1
- Now the request is made to
http://hacker.com so again somewhere in the
requests.get()the dns query is ran again and now with DNS record changed to 127.0.0.1 Soooo there’s nothing stopping us from retrieving localhost 🎉🎉🎉
So that’s the theory behind this whole thing. Pretty primitive right?
Back to the challenge
Since we can’t manually change the dns record in milliseconds as the program runs, we need a custom DNS server configured to somehow figure out what IP should it resolve to and set TTL to 0 so no caching happens on the backend.
You can install an open-source framework for DNS Rebinding or you can use this https://lock.cmpxchg8b.com/rebinder.html for the same purpose. It only takes 2 IPs and resolves between them randomly so You have to send like 10–15 requests to get 1 that actually went to localhost :D
Well, a few players has found a way to get flag in another way too. I already blacklisted all the ways to bypass the filtering but one way is missed by me and few players got that. Let me explain that method too.
We need to create a html file with the code given below and host it on your VPS. If you don’t have VPS then no worries host it on localhost and do port forwarding with ngrok. Google about port forwarding to get more info.
<iframe src="http://localhost/" width="700" height="700"></iframe> </body>
Why this worked??
- Let’s say this file is hosted at abc.hostedfile.com
- When a DNS query is made to abc.hostedfile.com, it returns ip4/6 address of abc.hostedfile.com . Let’s the ip be 35.2xx.1xx.89
- Since this ip is not included into ip_ban list(explained earlier), a request will be made to fetch the content of abc.hostedfile.com.
- After a successfull request, an iframe is loaded at PDF Generator server with source “http://localhost” and generate pdf of localhost where flag is hosted.
I missed this filter. Anyways, I hope you learned something from this challenge and writeup as it is based on real-world attack.
If you have any queries, feel free to DM me.
Connect with me