antiTree | posts and projects
posted by antitree on Apr 27, 2017

This is a continuation of the previous post talking about BSidesROC onion related CTF challenges.

Double Ontonion

One team figured this one out. The point of this challenge is to exemplify a common problem with onion services. Basically, if you don’t configure the web server correctly, there are cases where an onion service might leak additional information about the host. For example, if you were hosting an onion web service on the same server as another web service, you could sometimes replace the Host header with something like “localhost” and have crushing results.

Here’s the clue:

A host is a host to most to most
except to most that want to host
an anonymous host to be a ghost:
don't co-host local hosts,
or repost hosts' POSTs,
and at most, 
don't boast,
or your anonymity is toast.


Going to that URL would just show you a static page with some silly JavaScript visualization. Under the hood what I’m running are 3 docker containers. I have an NGINX reverse proxy, a web server hosting the onion service, and a second web server that contains the answer. The reverse proxy is really what you’re exploiting here. It’s configured to direct requests to appropriate containers based on the host header you send it.

Testa a testa normal

Here’s what my docker-compose.yml file looked like:

version: '2'
    image: jwilder/nginx-proxy
      - "4000:80"
      - /var/run/docker.sock:/tmp/docker.sock:ro

    image: nginx
      - VIRTUAL_HOST=bsidesrocdiny55l.onion
      - ./web1/public:/usr/share/nginx/html
    image: nginx
      - VIRTUAL_HOST=localhost
      - ./web2/public:/usr/share/nginx/html

So if you used something like BurpSuite or the Firefox plugin Modify Headers you could replace the normal header with “localhost” and you’ll see this:

Test a Testa

Only one team figured this one out.