
Break another CTF by taking over its machine - seadog007
https://github.com/seadog007/noxCTF-2018-PSRF-as-Pwn
======
ryandrake
> When I was play noxCTF 2018, I saw a challenge named PSRF, then I thought
> that might be SSRF, PostScript, or both.

Wow, talk about having no context! You need to do at least three Google
searches just to parse the first sentence.

EDIT: Realized my comment was not constructive. For context, might be helpful
to make some of the acronyms into links!

~~~
seadog007
Sorry about that, what is your suggestion?

~~~
seadog007
Before your reply, I will add some explain for these terms

~~~
dang
An introductory paragraph, as umvi suggested, would be very helpful.

Also, please don't use sockpuppet accounts to upvote HN submissions. That's
not allowed here, and we ban accounts that do it.

------
Artemis2
I cannot overstate how much I despise these “helpful” cloud agents. They are
useful for experimentation to update user accounts (SSH keys, etc. — GCP uses
for its web shell as well), but they are a nightmare for production use. They
are a very straightforward path from cloud account compromise to instance
takeover.

Azure pulls the same trick. AWS seems fine.

------
holyjaw
I'm a bit confused by this:

> The challenge has kubernetes logo on the bottom of the page like the
> screenshot below, and the IP is 35.241.245.36.

> I immediately realized that is a GCP machine, so I tested the backend server
> by sending HTTP request to my server to see if it is also on GCP, and it is.

What about the IP address or k8s logo made you realize it was a GCP machine?

~~~
supakeen
A whois on the 35.241.245.36 returns a ownership by Google with the following
comment:

Comment: __* The IP addresses under this Org-ID are in use by Google Cloud
customers __*

He then uses the SSRF to issue a request to his own server after which he
likely realizes that the IP address belonging to the backend service also runs
on GCP.

------
da02
Could this have been harder to do if the insecure server inspected the HTTP
content-type and response body in the response? Something like this (psuedo-
code):

    
    
      if response.content_type =~ /image-/i && !plain_text?(response.body)
        pass
      else
        fail!()
      end

~~~
seadog007
I could be, but I really don't know the designed solution.

