[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)


It was a nice CTF, I got 2nd place with my guys:

A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place).

Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start.

Note: there is no source code in the challenge attachment, I requested it from the author (@serWazito0) thanks to him, challenges files ( ASCWG_2024_CTF ).

Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE.

From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access this one.

My first try is to send a call to the application in the request path

GET http://app1/secret HTTP/1.1

and it works and I got an error "Error fetching the URL."


in the CTF we got an announcement about brute forcing so if we brute force the ports for this app we can get a different response with port (9001) and we have a source code know


after reviewing the code we found that:

  • There is a SQL injection and the DB is SQLite3.
  • There is a filter we have to bypass, function "contains_blacklist".
  • The execution of the SQL command happens in the SQLite shell prompt itself in func "cursors_execute".


so how can we use the SQL injection in SQLite3 to gain RCE and read the flag?

after asking Google we end up with this screenshot


after trying it we faced an issue did not notice (maybe it was 2 minutes before the CTF end - focus was low) but we got another hint that we were in a shell, so what do we do when writing a line in the shell? yes ENTER but how we can do it now?

we tried a lot of things but nothing worked with us and after a lot of failures this works (%0a) as an ENTER so we have to write a valid SQL query that executes the Shell command, the following payload will read the flag and BINGO:
GET http://app1:9001/?username=flex';%0a.shell+cat+flag*%0a;select+' HTTP/1.1

but xD we could not find the flag for some reason the response just returned the folder of (app, DB) not all files and folders, and for some reason, I did not think about (*) but we got it with the author after the CTF by 1-minute xD.

Thanks for reading ;-);

عَنْ أُمِّ المُؤمِنِينَ أُمِّ عَبْدِ اللهِ عَائِشَةَ - رَضِيَ اللهُ عَنْهَا - قَالَتْ: قَالَ رَسُوْلُ اللهِ : " مَنْ أَحْدَثَ فِيْ أَمْرِنَا هَذَا مَا لَيْسَ مِنْهُ فَهُوَ رَدٌّ " رواه البخاري ومسلم، وفي رواية لمسلم " مَنْ عَمِلَ عَمَلاً لَيْسَ عَلَيْهِ أَمْرُنَا فَهُوَ رَدٌّ "


Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more