7 min read

CA CTF 2022: Exploiting Redis Lua Sandbox Escape RCE with SSRF - Red Island

Exploiting Redis Lua Sandbox Escape RCE with SSRF, Rayhan0x01 shares his write-up of Red Island from Cyber Apocalypse CTF 2022.

Rayhan0x01 avatar

Jun 10

In this write-up, we'll go over the web challenge Red Island, rated as medium difficulty in the Cyber Apocalypse CTF 2022. The solution requires exploiting a Server-Side Request Forgery (SSRF) vulnerability to perform Redis Lua sandbox escape RCE (CVE-2022-0543) with Gopher protocol.

Challenge Description 📄

The Red Island of the glowing sea is a proud tribe of species that can only see red colors. Hence every physical item, picture, and poster on this island is masked with red colors. The Golden Fang army took advantage of the color weakness of the species of Red Island to smuggle illegal goods in and out of the island behind the ministry's back. Without an invitation, it's impossible to get entry to the island. So we need to hack the ministry and send us an invite from the inside to stop the atrocities of Draeger's men on this island. As always, Ulysses, with his excellent recon skills, got us access to one of the portals of the Red Island ministry. Can you gain access to their networks through this portal?

The application at-a-glance 🔍

The application homepage displays a login form and a link to the registration page. Since we don't have an account, we can create an account via the registration page and log in. After logging in, the application redirects to the following dashboard page:

Providing a valid image URL results in a new image that has many of the parts painted in the red color:

The following API request is being sent to the backend upon URL submission:

That is pretty much all the user-accessible features in this web application.

The SSRF with support of a plethora of protocols 🧰

If we submit a link that is not an image, we can see the response body of the visited link resulting in Server-Side Request Forgery: