sentry-as-navigation
SRC: https://library.m0unt41n.ch/challenges/sentry-as-navigation
This challenge provides a tool too fetch and display certificate information. There is a clear and easy too find vulnerability in the code wich allows to RCE.
We are in full control of the input / of the san entries, since it doesn't filter available domains too check, so we can basically host a malicious site hosting a a cert with malicious san entries. Like: subjectAltName=DNS:secure.evil.com; cat flag.txt
The code requires us to have secure. and .com within our san name, the rest can be totally malicious and will be placed in a os.popen and returned within the json.
At the end of the day it required more time setting up the server then finding the vuln.
SRC: https://library.m0unt41n.ch/challenges/sentry-as-navigation
This challenge provides a tool too fetch and display certificate information. There is a clear and easy too find vulnerability in the code wich allows to RCE.
Python:
for entry in san_entries:
match = re.match(r"^secure.*\.com$", entry)
print(f"{entry}: {match}")
if match:
command = f"nslookup {entry}"
result["nslookup"][entry] = os.popen(command).read().strip()We are in full control of the input / of the san entries, since it doesn't filter available domains too check, so we can basically host a malicious site hosting a a cert with malicious san entries. Like: subjectAltName=DNS:secure.evil.com; cat flag.txt
The code requires us to have secure. and .com within our san name, the rest can be totally malicious and will be placed in a os.popen and returned within the json.
At the end of the day it required more time setting up the server then finding the vuln.
