PDF Generator Writeup | DNS Rebinding Attack | TrollCat CTF Writeup

PDF Generator

What is DNS Rebinding?

import requests
import socket
from banlist import ip_ban
def secureFetch(url):
ipaddr = socket.gethostbyname(url) //url is provided domain name
if ipaddr not in ip_ban:
r=requests.get(url)
return r.text
  • Let’s say function is ran wih url http://hacker.com and ip ban list is ip_ban=[192.168.1.1, 10.10.0.1, 127.0.0.1]
  • First it runs a DNS query with hacker.com which returns 34.213.130.80 which is not in ip_ban list. So if block will execute.
  • In the meantime the DNS record for hacker.com magically changes to 127.0.0.1
  • Now the request is made to http://hacker.com so again somewhere in the requests.get() the dns query is ran again and now with DNS record changed to 127.0.0.1 Soooo there’s nothing stopping us from retrieving localhost 🎉🎉🎉

Back to the challenge

Additional Story

<!DOCTYPE html>
<html>
<head>
<title>PDF Generator</title>
</head>
<body>
<iframe src="http://localhost/" width="700" height="700"></iframe> </body>
</html>

Why this worked??

  • Let’s say this file is hosted at abc.hostedfile.com
  • When a DNS query is made to abc.hostedfile.com, it returns ip4/6 address of abc.hostedfile.com . Let’s the ip be 35.2xx.1xx.89
  • Since this ip is not included into ip_ban list(explained earlier), a request will be made to fetch the content of abc.hostedfile.com.
  • After a successfull request, an iframe is loaded at PDF Generator server with source “http://localhost” and generate pdf of localhost where flag is hosted.

Connect with me

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store