[Cth1hu_R1y3h]

You can add CVE-2024-38513 https://github.com/advisories/GHSA-98j2-3j3p-fw2v to the observation..

>You would be able to exploit the archive library (To create files outside the saved directory) but you can't  overwrite files (as i know now).

Correct for tar archives

That's wired, been trying this without success


Edit: i dont think session fixation would work, since the token used by your user is created each time you login and updated on redis

Since the overwriting session files won't work, i'm trying to generating the session files by timestamps and trying to refreash it on redis during the login func. Will it work?

[0xbeef]

It is not mine but almost the same i did. Try to understand how the .TAR file is crafted.

https://github.com/walidpyh/CVE-2024-040.../script.py

How did you know that's a CVE-2024-0406

Look into go.mod, you will find the version of archiver

  Were you able to make it work ? having the right cookie but kept getting 500 error on upload

---

You can add CVE-2024-38513 https://github.com/advisories/GHSA-98j2-3j3p-fw2v to the observation...

>You would be able to exploit the archive library (To create files outside the saved directory) but you can't  overwrite files (as i know now).
Correct for tar archives

That's wired, been trying this without success

Edit: i dont think session fixation would work, since the token used by your user is created each time you login and updated on redis

Look closely at the code, you're on the right track.
You can forge the session, because you know how the session ID is generated and you can also update the session ID on redis without actually generating a session file.

Just saw this on http.go file the login handler. Thanks will try to make it work

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[sdksdk]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

[TechArtificer]

You can also upload multiple tar files.
I did it this way: upload a first tar that has a symlink from folder test/ to the sessions directory for your user.
Then in a second tar you can upload a folder test/ again with multiple files in it.
That way all these files will be placed into the sessions folder for your user. That allows some margin during the session fixation.

As a second step check in http.go when exactly the session is being put into redis.
Hint: you can modify the seesion in redis without actually generating a new session file (which will be overwritten even if you upload your files in 400 mode, because everything runs as root).

[ZombieBear]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

If you want to go that way (session prediction) then you should not use a local time but server replies (due to different zones, sync problems...)

[Pyhoma]

Alright, huge hint boys, take a look at how the login process actually creates sessions and pushes them into Redis. On successful logins, the session gets written to /tmp/sessions, but on failed attempts, it still gets pushed to Redis without being written to /tmp.

The key idea is to mimic the session ID generation process since it’s just a hash of the timestamp. By performing a failed login and generating a .tar file with a symlink, you can exploit this behavior. You can modify this script to achieve that: https://github.com/walidpyh/CVE-2024-040.../script.py

Your goal should be to make Redis generate the same session ID as the one you create locally. Then use a simple loop to repeatedly upload those tar files and check the sessionID against the admin route for validity.
Almost forget, this would require 2 sessions, an attacker one that would keep uploading the archives with a valid SessionID, a targeted user where you try to escalate 

I’ll share my full exploit source code later when I get home.

[x14gx]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

After you successfully upload the future hashes with the "Admin" role content, make sure the final login uses a WRONG password.
This will prevent the overwriting of the future hash you uploaded that occurs in CreateSession().
Then the "/user/admin" request will work as intended.

[sdksdk]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

If you want to go that way (session prediction) then you should not use a local time but server replies (due to different zones, sync problems...)

Finally! Thanks i did it by the wrong login attempt i did not realize that redis was doing that on the code. On local with the docker the approach was correct but as you says when trying against the server its a headache to syncronize... but finally did it. I leave a link to the final script i used and the command parameters. 

Link: https://defuse.ca/b/kdNBXbUv Password: DesiresHTB

The times depends on your location and so on. I first did a ping to the server eg:

PING 94.237.53.146 (94.237.53.146) 56(84) bytes of data.
64 bytes from 94.237.53.146: icmp_seq=1 ttl=56 time=35.3 ms
 
The more accurate the times between easier will be to achieve it, but keep running ping some time util you can get the average time then craft the command like this.

-u http://94.237.53.146:44659 --brute --start 0.035 --end 0.050 --step 0.001 -d 2

It should work and  keep trying until the all attempts are failed or the flag is retrieved. 

Thanks all for the hints and advices

[noter]

Thanks, I like your script. Very clean!

[TechArtificer]

You can also upload more than one session file, so you don't have to predict the time down to 1s accuracy...Creating just a directory symlink and then uploading multiple session files instead of just one file.