CSAW CTF2020 - Web RTC Writeup
Web RTC (450pts) 39 solves
Last weekend,we have been a part of the CSAW CTF 2020 and our team Fword ranked 4th in MENA region. We managed to solve all web challenges with my awesome teammates @Hera and @Noxious and we have particularly enjoyed Web RTC .
TL;DL
-
Exploiting CoTurn server in order to gain SSRF.
-
Escalating SSRF to RCE using Redis.
Overview
We have a Real Time Chat web app and we were provided with the source code / Dockerfile / supervisor.conf.
Examining the source code didn’t really bring something to the table.But we got some juicy stuff ,reading the Dockerfile / supervisor.conf. It turned out that the application is using TURN protocol to relay the network traffic between peers and Redis as a caching system.
Exploitation
Since the application didn’t seem vulnreable, we decide to focus basically on CoTURN server exploitation. After searching around we found the following HackerOne report which claims that it’s possible to abuse the TURN Protocol to gain SSRF. In fact, the attacker may proxy TCP connections to the internal network by setting the XOR-PEER-ADDRESS of the TURN connect message (method 0x000A, https://tools.ietf.org/html/rfc6062#section-4.3) to a private IPv4 address.
We used the following tool to exploit that issue.
We can notice that the Coturn server IP is returned to confirm the SSRF.
Unfortunately fetching localhost ip didn’t work for us so we fired up wireshark to monitor the STUN (TURN Protocol is an extension of STUN protocol) packets.
We can confirm that the coTurn server has some protections blacklisting local ips. We first tried to bruteforce the internal ip but in vain , finally we managed to bypass this protection using 0.0.0.0 ip:
And Bingo we achieved the first part!
Escalating SSRF to RCE using Redis
This part was somehow trivial but it took us some time to exploit Redis properly, we used some instructions from this tool ( we fired a Rogue server from it) and executed the following commands:
And Voilaa We got our beloved flag :D It was our first time dealing with RTC website and exploiting and it was really fun!
References: