RDot

RDot (https://rdot.org/forum/index.php)
-   Квесты/CTF (https://rdot.org/forum/forumdisplay.php?f=64)
-   -   Zeronights 2015 Hackquest write-up (https://rdot.org/forum/showthread.php?t=3542)

Beched 22.11.2015 11:51

Zeronights 2015 Hackquest write-up
 
Task #1 ("Chocolate Factory", Web)

Input

Site with file upload functionality.
At first it was easily solved by uploading JSP-shell in XML format, bypassing white-list. After that all participants were given the source code.
Task again could solved in a "cheating" way, by reading the source code, but I solved it in an intended way.

Output

Open the classes in JD-GUI: screenshot.

We can see the source code of JSP checker, which parses page imports. There're a lot of ways to bypass this silly checker, but we'll try to get flag without reading the file system. Initially the flag was in SecretGrandParentForBigBossesNeeds.class:
Код:

public class SecretGrandParentForBigBossesNeeds
{
  private String TrueSecretChocolateKey()
  {
    return "ZNV:3X@mPl3_k3y_a0a81ab87f74d307b8e51fd85048e714";
  }

On the screenshot on the left you can see a long chain of inherited classes, this clearly tells us, that we should somehow use reflection. If we try to import SecretGrandParentForBigBossesNeeds, we fail, let's try to import Secret.
Код:

<%@ page import="java.lang.reflect.*,ZN_Chocolate.CRYPTO.Secret" %>
<%
Secret s = new Secret();
out.println(s.TrueSecretChocolateKey());
%>

Hm, error 500... In the stack trace we can read, that "method TrueSecretChocolateKey of class SadBigBoss is not visible".
Aha! They changed name of the class after fixing the source code. But anyway, method is not visible, it's private. Let's use reflection to make it accessible:
Код:

<%@ page import="java.lang.reflect.*,ZN_Chocolate.CRYPTO.Secret" %>
<%
SadBigBoss s = new SadBigBoss();
Method method = s.getClass().getDeclaredMethod("TrueSecretChocolateKey");
method.setAccessible(true);
out.println(method.invoke(s));
%>

That's it, flag is on the page =)

Beched 22.11.2015 12:11

Task #4 ("ILLOGICAL PHOTOGALLERY", Web)

Input

Site (0x3d.ru) with OAuth (vk.com) functionality.
During recon one can find content.0x3d.ru and dev.0x3d.ru (127.0.0.1) subdomains.

Output

There were a lot of unintended bugs, including XSS, SQL injection, RCE, etc... Some of them are described here.

1. Authentication bypass (unintended)
Log in under your vk account through Burp Suite, take a link with auth token (?code=...) and navigate to it in the private tab. You're now logged in as a privileged user, which can upload files.

2. Authentication bypass
Login under your vk account through Burp Suite, take a link with auth token (?code=...), now make a page on your website, which loads 2 images (<img src=...): the first triggers logout CSRF (like /logout), the second is you auth token link. Now send this link to the privileged user, he (the bot) will navigate it, and his account will be connected to your vk profile. Now you can login as a privileged user.

3. Race condition (unintended)
Privileged user can upload avatar. "*.php" is disallowed, but ".jpg.php" is ok =) Where's the shell? Hm, avatars are uploaded to content.0x3d.ru/avatars, but they are converted into $hash.jpg. Let's suppose file is first uploaded in the same dir and converted afterwards.
Take BurpSuite, launch 100 threads (GET /avatars/beched.jpg.php, Host: content.0x3d.ru) and upload beched.jpg.php. Wow, 200! Shit, plain-text... They disabled PHP execution in this dir, but anyway, this is dangerous bug.

4. SQL injection (unintended)
There was SQL injection in private messaging interface, you could exploit it using multi-INSERT and guessing fields. There was no file_priv and no flag, but there was a link to PoC auth bypass exploit by the author of task. I found a working copy of the task on that server =)

5. Code execution (unintended)
So, we've got author's testing server. Let's log in and check SQL injection there. Wow, there's file_priv=Y! Read the source code, read configs, no flag =(
But there's something else in ZIP upload functionality:
PHP код:

elseif(preg_match('/[.](ZIP)|(zip)|(RAR)|(rar)$/',$_FILES['fupload']['name']))
{
    
$avatar 'avatars/net-avatara.jpg';
        
$filename $_FILES['fupload']['name'];
        
$source $_FILES['fupload']['tmp_name'];    
        
$target $path_to_90_directory $filename;
        
move_uploaded_file($source$target);//загрузка оригинала в папку $path_to_90_directory
        
$command 'python /var/www/0x3d.ru/zn1/avatars/unzip.py /var/www/0x3d.ru/zn1/avatars/'.$filename;
        
$temp exec($command$output);
    


So, we can execute code in the filename. But no flag on this test server %)

6. Code execution
Now let's do what they want. Let's upload shell into the docroot of content.0x3d.ru. We'll do it with https://github.com/ptoomey3/evilarc
Create a ZIP archive with path traversal, it we'll be extracted to any directory you want (if it's writable). Now we've got PHP-shell on content.0x3d.ru

7. open_basedir bypass (unintended)
Command execution functions are disabled, but we can browse any directory with DirectoryIterator: http://ahack.ru/releases/glob_wrapper_open_basedir_exploit.php.txt
BTW, putenv() and mail() are not disabled, but somehow command execution via library preload and triggering sendmail doesn't work %)

8. Flag
Remember dev.0x3d.ru? Let's try it from the web-shell:
readfile('http://dev.0x3d.ru');


Часовой пояс GMT +3, время: 22:34.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot