CSAW CTF2020 - Web RTC Writeup

Web RTC (450pts) 39 solves

TASK

Last weekend,we have been a part of the CSAW CTF 2020 and our team Fword ranked 4th in MENA region. We managed to solve all web challenges with my awesome teammates @Hera and @Noxious and we have particularly enjoyed Web RTC .

SCOREBOARD

TL;DL

  • Exploiting CoTurn server in order to gain SSRF.

  • Escalating SSRF to RCE using Redis.

Overview

We have a Real Time Chat web app and we were provided with the source code / Dockerfile / supervisor.conf.

TASK

Examining the source code didn’t really bring something to the table.But we got some juicy stuff ,reading the Dockerfile / supervisor.conf. It turned out that the application is using TURN protocol to relay the network traffic between peers and Redis as a caching system.

TASK

Exploitation

Since the application didn’t seem vulnreable, we decide to focus basically on CoTURN server exploitation. After searching around we found the following HackerOne report which claims that it’s possible to abuse the TURN Protocol to gain SSRF. In fact, the attacker may proxy TCP connections to the internal network by setting the XOR-PEER-ADDRESS of the TURN connect message (method 0x000A, https://tools.ietf.org/html/rfc6062#section-4.3) to a private IPv4 address.

We used the following tool to exploit that issue.

TASK

We can notice that the Coturn server IP is returned to confirm the SSRF.

TASK

Unfortunately fetching localhost ip didn’t work for us so we fired up wireshark to monitor the STUN (TURN Protocol is an extension of STUN protocol) packets.

TASK

We can confirm that the coTurn server has some protections blacklisting local ips. We first tried to bruteforce the internal ip but in vain , finally we managed to bypass this protection using 0.0.0.0 ip:

TASK

TASK

And Bingo we achieved the first part!

Escalating SSRF to RCE using Redis

This part was somehow trivial but it took us some time to exploit Redis properly, we used some instructions from this tool ( we fired a Rogue server from it) and executed the following commands:

TASK

And Voilaa We got our beloved flag :D It was our first time dealing with RTC website and exploiting and it was really fun!

References:

Belkahla Ahmed
Belkahla Ahmed
Security Engineer @ Mercari JP - CTF Player @ Zer0pts

Cyber Security Enthusiast from Tunisia, I enjoy playing in hacking and pentesting competitions,I skip classes to play CTF.