SecurityInsider
Le blog des experts sécurité Wavestone

Nuit du Hack 2017 - CTF Challenge Writeup - Part 1



The 15th edition of Nuit du Hack took place at Disneyland Paris' New York Hotel Convention Center. Wavestone was present during the day to present its cybersecurity-related activities. Additionally, we were hosting a jeopardy CTF challenge, with the following rewards for the winners:
  1. An XYZ Mini 3D printer
  2. A retro gaming kit based on a RPi 3
  3. A drone

The article below presents the intended solution of the challenge's author.

Intro: Registration & validation interface

The challenge was hosted online and available for everyone at https://wargame.aperture-science.fr. Let's register on this HTML1.0 platform and pwn the challenge like a real hacker security expert:


Upon successful login, we see that there are many flags to find, and so many teams already registered...


So let's not lose time, and click on "My vhost".

Platform recon & first flagz

Once the root certificate has been installed, I can access my virtual host securely:


The challenge has been designed for everyone, from beginner to expert, so while not all flags are easy, there must be easy ones. Therefore, we can start by searching for flags that would not require us to be authenticated.

Asimov's laws are wrong

The robots.txt file is intended for search engines' bots. This file indicates which file should not be indexed by which bot (with specific targeting based on the User-Agent). While our most sensitive pages will not be indexed, the robot.txt file is also a way of giving up every sensitive URI to a human attacker.
In this case:


In addition to the flag, I have just discovered a new directory: "lol_i_renamed_admin":


In this directory, there are two pictures and one not sensitive file. Always be curious, click the link:



Busted!

Next step in our recon phase would be to scan for known directory names. This can be used to discover hidden features, admin interfaces, etc. In order to perform the scan, I used the tool Pyrbuster and a wordlist from Dirbuster:

Browsing to that URL gives us the next flag:



Web attacks

Who are you now?

Now that the recon phase is over, we can start fooling around with the web application. There is a login form with no apparent credentials (admin/admin is not working). However, there are some hints in the source code:


We can use this testaccount account to log in to every country present on the interface. However, there is not much to do, since we only have access to the user list:


There must be something to see in this list that can get us to the next level. We observe that every country has its admin and testaccount accounts. However, France has an additional account called supervisor:


Since the login and passwords were identical for testaccount, we can try the same thing with the supervisor account. It works and gives us the flag:



Unauthorized discovery

The supervisor account has acces to a new feature, the store:


The URI is /store.php?f=missiles. If you try to perform a local file inclusion by modifying the f parameter, you end up redirected to this exact page. 
However, path traversal payloads trigger a different response, as shown with the value "..":


There is a possibility of listing files and directories using this features. There are protections in place to prevent me from going up too many levels. However, the value "../../" gives us a flag:



Forgotten past

Coming back to the main store page, it is possible to click on pictures to enlarge them. The user is redirected to a new page: view.php?name=static/img/missiles/1.jpg.
We can try to mess around with the name parameter, for example with the static/img/missiles/1.txt value as observed in the store:


This looks like a local file inclusion, but we need to now if the raw source file is read (with fopen for example) or if it is executed (with include / require). Positioning the name parameter to index.php shows that the source code has been executed. Therefore, there is an LFI vulnerability.
Remember the not sensitive file we came across with the help of robots.txt? Let's try to include that one:



GOD MODE

Now it is time to try and connect as admin. It is possible to spot an SQL injection on the login page, using the following payloads to connect as testaccount:
  • Login is testaccount' AND 'a'='a, password is testaccount → login is successful
  • Login is testaccount' AND 'a'='b, password is testaccount → login is denied
Some teams tried to use this SQL injection to dump data. However, direct output was not available, undifferenciated error messages prevented boolean-base blind, leaving only the time-based blind option. Given the stability of the network, this attack was not practical, and would not have been useful anyway.

Basic SQL injection payload, such as testaccount' AND 1=1# were not working. The login logic most likely relies on:
  • User account object retrieval based on the username
  • Comparison of the hash of the given password to the stored hash
In this scenario, we cannot use the injection to bypass the authentication wihtout knowing exactly how it works. But we can use the LFI vulnerability in combination with PHP wrappers to retrieve the source code:


The following code performs the necessary checks before enabling a user to log in and confirms our suspicions:


Using SQL's UNION statement, we can craft a query result from the database and make it appear as a real user object. The payload that was used to connect to a country, with password toto, is:


Using it gives us a new flag, a new menu "My missiles" and a new category of attacks!



MySQL Dumpster

The name of the flag almost gives it all. There is most likely a flag hidden in the database, which we will need to find using a standard SQL injection. The new menu allows us to add missiles to our stocks:


We can then view it at /view_missile.php?id=1. This sounds like SQL injection, which we can confirm by /view_missile.php?id=1 UNION SELECT 1,2,3,4,5,6,7,8,9%23:


Using the famous SQLMap, or by hand, we find the flags table, and the flag value. We can then dump the table to see the next flag (example by hand at  /view_missile.php?id=0 UNION SELECT flag,2,3,4,5,6,7,8,9 FROM flags LIMIT 1,1%23):



Link to part 2 →

Jean MARSAULT

Aucun commentaire:

Enregistrer un commentaire