hacky holidays h1 CTF

hacky holidays  h1 CTF








this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges 

Swag Shop

Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop


this challenge it's 100% real life which in order to get flag we must enumeration grinch profile.

first we must enumeration target page and do some spider pages by using burpsuite spider 



 

 after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.





 
you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens which will going to decode it and find information using jwt io.



 after decode jwt tokens we find one has user name value 

 

 


 

 

now back to user endpoint which we need  fuzz parameters using burpsuite intruder.




we notice we have different status code & response length for uuid and after view response we  get our hidden parameter now it's time to pass user value find it in jwt token.




now we get flag 

lesson learn 

1- look for hidden endpoint sometime it does't have authentication on it.

2- gather info like uuid from page or other search engine or from comments pages 

3- fuzz for parameter any  hidden endpoint  or unhidden endpoint.



My Diary


Hackers! It looks like the Grinch has released his Diary on Grinch Networks. We know he has an upcoming event but he hasn't posted it on his calendar. Can you hack his diary and find out what it is?


     in order to solve this challenge we must expose grinch diary after open challenge we find it as below url

            https://hackyholidays.h1ctf.com/my-diary/?template=entries.html 

first things come to your mind is to test LFI after test  we get source code for index.php






 template parameter accept input and do some filtration using preg_replace and str_replace in order to make page value does't expose any sensitive information   it's filter admin.php ,secretadmin.php and special characters like slash (/) .


setup lab to bypass filter and understand filter behavior.

admin.php ---> replace it with  empty string

admin.phpadmin.php ---> also replace it with empty string.

secretadmin.php ---> secret (replace admin.php)

[+]secretadmin no change

[+]secretadminadmin.php --> secretadmin  replace admin.php 

[+]secretadminadmin.php.phpphp --> secretadmin after replace admin.php and result secretadmin.phpphp --> php after replace secretadmin.php with empty string --> php

add understand filter and list which bypass and not bypass we end with 

                                    secretadmin.secretadminadmin.php.phpphp




we going to replicate payload on challenge after it's work on local setup




Lesson Learn

1- always setup local lab to test filter

2- list all success and unsuccess attempt to find pattern that could help you to bypass filter.


 

SignUp Manager

You've made it this far! The grinch is recruiting for his army to ruin the holidays but they're very picky on who they let in!

it's page with registration & login functionality  i  register you and get normal page in order to get flag we must login as administrator (admin).

first do view page source code i find in README.md in html comment and open it  i get instruction which we will summarized in.

1- download signupmanager.zip

2- create users.txt to store data

3- in order to login as admin change last char in users.txt to Y .


download file and extract it and open index.php and do some code audit .

after download code i divide it's in three pieces 

First add user (signup)





after audit code i end up with this summary 

1- store random hash md5

2-  store username after padding to 15 char with #

3- store password as md5 

4- store age after  padding to 3 char with 

5- store firstname after padding to 15 char with #

6- store lastname after padding to 15 char with #

7- finally N which it's flag set to normal user but for admin it's set to Y.

8-  all content length must be 113 char and write to user.txt


after all i made some calc:

random hash=32

username=15

hash password=32

age=3

firstname=15

lastname=15

'N'=1

         32+15+32+15+15+1+3=113


second  get user data from users.txt






    


all code above do it's remove padd and compare it to login data interesting part it's 'admin' checking permission  return True when 'Y' is set.



third check user login data




code above check if user has admin permission by set up admin to 'Y' then redirect it to admin page else  redirect to normal user page.

after audit code above in order to  login to admin page we must construct payload to overwrite 'N' to 'Y'

data store in file in this order  (username+random_hash+pass_hash+firstname+lastname+'N')

to overwrite 'N'  we  must   control to lastname and filled with 'Y' but as we say above all length it's restrict to 113 to bypass this we must find inconsistent between checking length & writing to file.


check code again to find this inconsistent vulnerability we find age it's pass to intval function which has this type of vulnerability.





we going to step up demo and try to check function behavior in order to bypass admin restriction 



 
 out put 

3  ---> length in check length must be 3 
9000 ---> value 
4 ---> length  after check and write to file.



now payload will be 


action=signup&username=VYYYYYYYYYYYYYY&password=root&age=9e3&firstname=YYYYYYYYYYYYYYY&lastname=YYYYYYYYYYYYYYY

 





Lesson Learn

1- understand code logic 
2- look for inconsistent between check and use 

 


Evil Quiz 

Just how evil are you? Take the quiz and see! Just don't go poking around the admin area!


it's quiz system have 3 pages first to write user name and second to solve quiz and third for result.




 

you notice  it's count user existing on system that have same user one  this could be good indicator there some interaction with database came from first page and reflect on third page.

next check sql injection 

  ' and 1=1 -- -   result  There is 1220516 other player(s) with the same name as you! (True)

   ' and 1=2 -- - result  There is 0 other player(s) with the same name as you! (False)

now we confirm it's sql injection next phase will be detect DBMS.


[+] connection_id() = Mysql

[+] ROWNUM = Oracle

[+] pg_client_encoding() = POSTGRESQL

[+] sqlite_version() = Sqlite

[+] cdbl(1) =  MSACCESS



[+] ' or connection_id()=1 -- - => True  (MYSQL)

[+] ' or ROWNUM =1 -- - =>False

[+] ' or pg_client_encoding()=1 -- - =>False

[+] ' or sqlite_version()=1 -- - => False

[+] ' or cdbl(1)=1 -- - =>False


next phase to exploit  sql injection (blind + second order ) no tool will work after understand application logic we can write script to dump database.

application logic 

user input in first page   and display result in third page for this we need to send request  and check if it's True or not  , below python script to dump database.









dump database using above custom script 

Database=quiz

Tablename=admin

colums=username,password

username: admin

password: S3creT_p4ssw0rd-$





Lesson Learn:

[+]  user input sometime use in other page by fetch it  you need to check each functionality that use user input like comment and profile or even image filename.


Recon Server: 

https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59

it's photo albums it's has three albums with images collection  every album has hash id to reterive it from backend
https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/album?hash=jdh34k
in source page we find image return with base64 encoding.

https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/picture?data=eyJpbWFnZSI6InIzYzBuX3NlcnZlcl80ZmRrNTlcL3VwbG9hZHNcL2RiNTA3YmRiMTg2ZDMzYTcxOWViMDQ1NjAzMDIwY2VjLmpwZyIsImF1dGgiOiJiYmYyOTVkNjg2YmQyYWYzNDZmY2Q4MGM1Mzk4ZGU5YSJ9


decoded value 
{"image":"r3c0n_server_4fdk59\/uploads\/db507bdb186d33a719eb045603020cec.jpg","auth":"bbf295d686bd2af346fcd80c5398de9a"}

after undertand logic flow we can say hash id it's you  to retrive ablum and after that reterive every image in album photo and use some hash calc auth will verfiy hash we cant modify it

API directory 
server has api directory which restrict  to localhost no way to interaction with api from outside.

response content
{"error":"This endpoint cannot be visited from this IP address"}.






SQL injection Detection


https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/album?hash=jdh34k'     return 404 page not found (intersting)
https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/album?hash=jdh34k' '   return normal page

Exploitaion

using SQLMAP to dump database we get 
python sqlmap.py -u https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/album?hash=jdh34k -D recon -dump





if you notice id it's foreign key between two tables which it's use in stacked query 


select hash,id,name from album where hash={inj}

select album_id,id,photo from photo  where id=id which come from above query.

after review query we can say it's routed sql injection   in order to confirm it's routed sql injection we must control to column that use in  where condition and replaced it with ' or true -- -' 


' or true -- - = 0x27206f722074727565202d2d202d

'+and+1=0+union select 0x27206f722074727565202d2d202d,2,2+--+- which return all images.





every link has base64 encode token which we decode it in above section  
in order to hit api endpoint we must control to image  name which it's generated which auth token in order to restrict it from tamppering

{"image":"r3c0n_server_4fdk59\/uploads\/db507bdb186d33a719eb045603020cec.jpg","auth":"bbf295d686bd2af346fcd80c5398de9a"}

when send 

' and 1=0 union select 1,2,3 -- -  =  0x2720616e6420313d3020756e696f6e2073656c65637420312c322c33202d2d202d

added above hex payload to main sql injection payload like below.

' and 1=0 union select 0x2720616e6420313d3020756e696f6e2073656c65637420312c322c33202d2d202d,2,2 -- -


{"image":"r3c0n_server_4fdk59\/uploads\/3","auth":"fea7507478aa8225c022527b1763fb33"}

we get  after decode image base64 token  and we controlled to image name now open image in browser.











we get Expected HTTP status 200, Received: 404 which indicate when have control to some backend functionality to fetch data through http.
now it's time to check api which has restrict to localhost (401 Unauthorized)
{"error":"This endpoint cannot be visited from this IP address"}


now it's time to sliced exploitation steps.


' and 1=0 union select 1,2,'../api/v1' -- -  = 0x2720616e6420313d3020756e696f6e2073656c65637420312c322c272e2e2f6170692f763127202d2d202d


payload: ' and 1=0 union select 0x2720616e6420313d3020756e696f6e2073656c65637420312c322c272e2e2f6170692f763127202d2d202d,2,2 -- -




https://hackyholidays.h1ctf.com/r3c0n_server_4fdk59/picture?data=eyJpbWFnZSI6InIzYzBuX3NlcnZlcl80ZmRrNTlcL3VwbG9hZHNcLy4uXC9hcGlcL3YxIiwiYXV0aCI6IjIzYTU3MGJlMDMxZDczMjEwMmI1Y2UwZWY1ZTA2ZTdlIn0==



exploitation Steps:
 now we confirm we trigger api endpoint now  we need to automated this process by using custom script  which will be in this steps
 1- take  directory and add  to api  ' and 1=0 union select 1,2,'../api/FUZZ' -- - 
 2- encode ' and 1=0 union select 1,2,'../api/FUZZ' -- - using hex 
 3- add encoded payload to  ' and 1=0 union select {encoded payload},2,2 -- -
 4- extract image base64 token from page.
 5- add image base64 token to /r3c0n_server_4fdk59/picture?data={image b64 token}
 6- check response if  'Expected HTTP status 200, Received: 404' it's not in response print found directory.

Dirfuzz Exploit code









 









[+] user 


after get endpoint come we need to fuzz parameters  we use same steps but add some modification which 

 step 1 change directory wordlist with parameters wordlist we use paraminer wordlist 
 step 2 changed to  ' and 1=0 union select 1,2,'../api/user?FUZZ=1' -- -   using hex 
 step 6 changed to 'Expected HTTP status 200, Received: 400' if it'not  in response then print  find parameter.


Paramfuzz exploit code














[+] username
[+] password


next phase is to detect this parameters vulnerable  by sending special char  using above step with add modification.

step 1 changed wordlist to special char wordlist
step 2 changed to ' and 1=0 union select 1,2,'../api/user?username=FUZZ' -- - 
      ' and 1=0 union select 1,2,'../api/user?password=FUZZ' -- -  using hex
step 6 chaned to 'Expected HTTP status 200, Received: 204' if it'not in response then  print find special char.

special-charfuzz Exploit code









[+] %

next phase will be using % to dump user and password using brute-forcing.

endpoint use below query structure 

select * from user where username like {control}

select * from user where password like {control}


modifiy above steps 
step 1 changed wordlist to printable char wordlist
step 2  changed to ' and 1=0 union select 1,2,'../api/user?username=a%' -- -  encode using hex to dump username
' and 1=0 union select 1,2,'../api/user?password=a%' -- -  encode using hex to dump password


step 6 changed to 'Expected HTTP status 200, Received: 204' if it'not in response then print char.

user&passFuzz Exploit code









[+] grinchadmin
[+] s4nt4sucks















Lesson Learn:
user input may be end up in another query or functionality that interact with backend like SSRF.

Comments

Post a Comment

Popular posts from this blog

SECURECODE: 1 : OSWE Prep

Image
 SECURECODE: 1 : OSWE Prep SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE).  VM:  SecureCode: 1 ~ VulnHub information about VM:  SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium   First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip. we go page under construction next we going to review directory structure. open http://192.168.122.112/login/index.php will redirect to login page. next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database. next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution  MySQL online - Test SQL queries (ext...
Read more

python input vulnerability

Image
python input vulnerability hi guys today i will show you how little mistake in write code can lead to expose data or RCE on sever . as we know python has function that take input from user can save it in variable . in python 2.x version we find input function   and it built-in function input in module __builtin__  let check what mean this method by using help(input) it 's  equivalent to eval(raw_input) ok raw_input it's another function take input from user but in input function it's add eval as we know eval it  function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation. let make quick demo  and if we enter number it will display it but what if we enter 2+4 it will display 6 because it's use eval as part of input function as we see above from here we can use  __builtin__  module to get  som...
Read more