Jump to content

InfoSec Institute - CTF2

Recommended Posts

I will start with Level 13.

At Level 13 I have to redirect the user to another website using the URL: http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ex13-task.php


The problem is that you can't use "http://" at the beginning of the word you send as value to parameter "redirect". Most probably there is a blacklist and I have to bypass it.

There is a quick solution to bypass this inconvenient, but I will let others to think at it.

I choose to explain a method to redirect anyone to anything using ftp wrapper.

After several attempts to bypass the mechanism that prevents me from using certain words I managed to find that I can use "ftp" wrapper. So here's my writeup.

If I load the link:


The web application redirects me at ftp://attackerwebsite.com/file.

From the ftp page I have to make another redirect to a webserver "http://attackerwebsite.com/".

For doing this I used a script made in python to emulate an ftp server and for any request to the ftp server the script will return same file always without authentication.

Start the python script:


Having the ftp server up, the question is what should I return back in the victim browser?

On a page that loads an ftp file, the browser will not execute javascript like <script>JAVASCRIPT CODE THAT REDIRECTS THE VICTIM ON ANOTHER PAGE</script>, but will interpret html tags.

To make another redirection from ftp page to attackerwebsite.com I have to use the following html code inside of '/tmp/test' file:

<html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html>

Having all ready let's try to make an redirection on https://attackerwebsite.com/

Load in a tab the following link:


ftp://1758432401/file is same with (dword representation)

My python script responded with the file located in '/tmp/test'

"[i 15-06-24 07:46:38] x.x.104.6:20970-[anonymous] RETR /tmp/test completed=1 bytes=301 seconds=0.002"

In browser the html code <html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html> redirected me to attackerwebsite.com

Edited by mah_one
Link to comment
Share on other sites

Nice description mah_one but somehow you've spoiled the beauty of that level :)

There are other ways to solve that challenge, like Stealth said in the replay above, there is a way to inject \r\n.

That challenge is very easy, more easy than I or Stealth explained.

Keep looking, the easiest solution wasn't spoiled so far.

Edited by mah_one
Link to comment
Share on other sites

Deci rezolvarea era: %0d%0a%20http://slacker.ro


Va fi asta un redirect valid cand va face plopu' pere. E hilar sa vezi pe cate unu' care se umfla in pene si se da prea destept, dar o da cu nuca-n perete.

Rezolvare simpla: Practical Website Hacking - Exercise 12

Redirect pe bune: Google

In fine, subtilitati...

Edited by TheTime
Link to comment
Share on other sites

@Stealth: A drequ carnea pe tine. Repede ai gasit tu un motiv sa-i dai peste nas lui mah_one. Lasa omu sa-si faca treaba. Mie mi se pare ca explica destul de bine si stie ce face. :))

// edit: Ti-ai sters postul bre ? Hahahah

Edited by aelius
Link to comment
Share on other sites

Stai pu?in m? prietene c? nu în?eleg aluzia. Cum adic? nu este un redirect valid? D? ?i o explica?ie dac? e?ti ?i tu a?a h4ck3r ca mah_one.

Ma asteptam sa nu intelegi. Pe scurt, dupa newline trebuia fie sa adaugi un nou header care sa iti faca redirect-ul, fie sa mai adaugi un newline si un body cu un javascript care sa faca redirect-ul.

Raspunsul dat de tine rezolva problema lor, dar nu este un redirect pe bune. Intre timp au modificat ei ceva pe server si nu mai merge nici primul tau raspuns, nici rezolvarea mea simpla.

In fine, subtilitati... si nu are rost.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...