HITB2018DXB Pre-Conf CTF | Write up

-


In this topic, I will share with your the write-up about the HITB2018DXB Pre-Conf CTF from Cyber Talents I will solve the web security challenges.

First challenge [who am i for 50 points]:


at the first when we open the challenge we will found a login form so the first thing I tried to do it's open the source and look on it and I found that


so I used this account to enter the panel but I found that I should be an admin to see the flag
I think for a few minutes and I try to see the cookies and I found this

the value is encoded with base64 so when I decode it I found this value login=Guest now I changed the Guest to admin and encode it again and I tried to open the page again and I found the flag
the flag is: FLag{B@D_4uTh1Nt1C4Ti0n}


-----------


The second challenge [Dark project for 100 points]:

when you open the challenge you will find that there is a page when you open one from it there is a new parameter and the page name will be the value of this parameter home=about now the first thing I thought about the local file inclusion (LFI) when I tried to read passwd file I can't so I think there is a Filter to protect the website so I search for LFI bypass I found an interesting thing that PHP filter I can use it to read the bypass the LFI protection the final payload is

php://filter/convert.base64-encode/resource=index

this code will output the index file but encoded with base64, when I use it I found this in the source code


when I decode it I found a PHP code and there is a variable called flag and the value is {pHp_Wr4P3rs_4r3_Us3fuL} this is the flag.

-----------


The third challenge [Catch me if you can for 100 points]:

this challenge when you open it you will not find an interesting thing but if you opened the robots.txt file you will find two interesting files [source.phps3cr3t.php] the first file is the PHP source code the second one is the challenge the code is


I opened the challenge page and my Burp Suite and I catch the request from challenge page with this password R_4r3@ but the output is ILLEGAL CHARACTERS so this form not accepted I started to think about another form I tried to add Null-Byte but it's not worked in the PHP source the characters is not allowed so I tried to add a valid input so I tried to spoof the process so I tried to add a new line so I write on my Burp %0aR_4r3@ but the same problem and I notice that I didn't enter any valid value so I should add valid value before the new line so it will be like that 2%0aR_4r3@ and the output is

the interesting thing is 

-[------->+<]>---.++++++.------------.--[--->+<]>---.[----->+<]>.[--->++<]>.>-[----->+<]>.>-[--->+<]>--.[--->+<]>+++.--.--[->+++++<]>+.---[-->+++<]>--.+[----->+<]>.++[++>---<]>.+[->++<]>.-----.+[--->++<]>+.--[----->+<]>-.>-[----->+<]>.+.>--[-->+++<]>.


I asked my friend about it and he told me that this encoding called brainFuck sorry :P, I search on Google and I found an online tool to decode it, the flag is: FL@g{R3Str1Ct1d_Ar34}

-----------


The fourth challenge [admin gate second for 200 points]:

This is the hard challenge when you open the challenge link you will find login form and log in with test account when you look on the source code you will find this javascript code


this code creates a cookie and gets the user information from this path index.php?info=yes but I should add an Authorization header and valid token to get the information of the user I opened my Burp and catch the request to the information page and add the required headers and the output is {"username":"test","role":"user"} this the test account information but we need the admin information so I decoded the JWT and got it from the cookies I changed the information to be like that 

{
"data":"{\"username\":\"admin\",\"role\":\"admin\"}"
}
 and added it to the request but it does not work and I tried to brute force the secret to generating the Signature but I didn't find the secret, one of my friends told me before, I can bypass the JWT if I make the algorithm none value so I tried to do this when you make the algorithm none you should delete the signature from the JWT encode but you shouldn't delete the last dot the test account JWT encode is

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcInRlc3RcIixcInJvbGVcIjpcInVzZXJcIn0ifQ.BlX_zXDojjqaUBPl7AfcUdRGFxV4i_97k25_HoDHtYM

now I will open this website to edit this encode to be like this

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.bKup1TgwRDG22Gya4fBO0DcClusa_1LFwPfHpdAarJA

I will take the first base64 this one eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 this include the algorithm I just decode it and this is the output {"typ":"JWT","alg":"HS256"} I will change the alg from HS256 to none and encode it again to base64 and add it to the new JWT encode now I will delete the signature from it to be like that

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.

the important thing don't forget the last dot, now I will send a request to this path index.php?info=yes and add this header to the request


Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.

finally, the request will be like this

and the response is

BOOOOOM!! the flag is J!W!T@2018#Algo


I hope that this topic helped someone, thank you for reading.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Let's Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more