English [Cybercamp 2015] [Web 17 – Url Thumbs] Write Up

On the main page, we see what seems to be a website thumbail generator. A form allows us to generate a thumbnail with the URL of our choice.

First test: failed. When we try to put the http://google.com URL, the next page shows us an error message…

Second test: we try to load a website that we owned, in order to check the access.log. Nothing, there wasn’t any connection from the thumbnail generator to our own server. The script didn’t even tried to connect to our website, which gaves us the conclusion that only a local URL should be loaded.

Others tests : we tried with http://localhost, http://localhost:8097, http://127.0.0.1 … But the tool was continuously saying that these URL weren’t allowed. And if we we’re close to something interesting?


As http://127.0.0.1 was filtered, we tried http://127.0.0.2:8097, and… ohhh magic, a thumbnail appeared showing us the main page of the thumbnail generator!
How to exploit this, as for now we just succeeded to get a thumbnail from a page we already have access to. Which webpages could be loaded with only a local IP?
As we knew that the HTTP server is Apache, a bit of documentation explained us that some diagnostics pages could exists, which are only loadable from a localhost IP : /server-status.

So, let’s just try to load http://127.0.0.2:8097/server-status/ with our wondeeeeerful thumbnail generation tool. That worked! Unfortunately, no flag onto this page 🙁
server-status
As we know have more information with this page, we could have a look on it, in order to find a lot of OPTIONS requests from 127.0.0.1:8101. What about trying to have a thumbnail of the server with this port?

flag
Here it is!

 

Leave a Reply

Your email address will not be published. Required fields are marked *