On 11th April Giuseppe Trotta and myself organized a CTF (Capture The Flag) competition for Cyber Secure Pakistan (A conference that combines all the stakeholders). The challenge was hosted on hack.me and contained 9 different challenges, some challenges itself contained sub-challenges. Overall, we received great feedback from vast majority of participants. No one was able to solve all the challenges within the given time frame, however a day or two we noticed that a team of "Sajjad" and "MakMan" was able to solve the challenge, and they were kind enough to do the writeup for the challenge, so over to Sajjad for the writeup.

 I teamed-up with a very talented friend of mine to solve the challenges. He goes by the nickname "MakMan" and possesses extra-ordinary problem solving and penetration testing skills. We solved almost all challenges together. I want to keep this write-up precise, so I would not ramble on much about what I tried and failed. I will rather explain what steps I went through in each of the challenges to exploit the vulnerability and capture its flag. I am going to explain them in descending order where order is the time I had to spend to solve the challenge.

Note: You might notice that I didn't use threading in any of my scripts to make them work faster. The reason is that I was afraid of getting my I.P address banned by the server for sending requests too fast; I was also afraid of overloading the server by sending too many requests at a time. And in some scenarios, it was not feasible to use threading.

9. Authentication Bypass (via cookie manipulation)

8. PHP Object Injection (via "unserialize" function)

http://pastebin.com/raw.php?i=g2NQbr8P

From the source code, it can clearly been seen that the direct user input is being passed to the unserialize function which is a security risk and results in a code execution. It can also be seen that a vulnerable magic method "__destruct" exists in the class named "CreateFile" which exists in the same context (or file) as the unserialize function.

Here is the vulnerable line of code:

readfile(dirname(__FILE__) . '/' . $this->tmpfile);

Anybody having basic understanding of the objection injection vulnerability would know that he can set the values of the class properties according to his will by exploiting the "unserialize" function via input. Thus, we can set the value of "tmpfile" which would be the member of the current class instance.

So here is the input payload I submitted which resulted in Local File Disclosure.

ss O:10:"CreateFile":1:{s:7:"tmpfile";s:15:"unserialize.php";}

For anyone (not familar with serialization), here is the code I wrote to generate this payload.

http://pastebin.com/raw.php?i=FkUFveGp

A "KEY" was defined in the source code of unserialize.php.

The MD5 hash of that key was the flag for this challenge.

7. Cross-site Request Forgery (CSRF)

Hint: It's awesome when other people do things for you, isn't it?;)
The simulation of this hint, so the biggest part of this challenge is at "fake_user.php" file

And the credentials of a user account were also given.

The URL provided for this challenge had a small web application for bank management. There was a login page which can be seen in the screenshot below.


So I logged in using the provided credentials and noticed that a donation page existed which could be used to donate money to other members in the bank.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'g00n' LIMIT 0,1' at line 5

First I thought of extracting the admin username and password from the database; but I figured that was unnecessary if the authentication page could be bypassed with good old "x' or 'x'='x".

/login.php?username=x' or 'x'='x&password=x' or 'x'='x

5. Supposedly Analytical Test (bypassed via automation)

http://pastebin.com/raw.php?i=WfWv4zKf

 The result that this script generated can be seen in the screenshot below.


It turned out that the key is displayed when the score becomes more than 50.

The MD5 hash of that key was the flag for this challenge.


4. Reversing JavaScript Code

This challenge has more than 150 solutions, but are you able to find the one that starts with «#? If yes, give me the MD5 of that value!

http://pastebin.com/raw.php?i=7kC5cvjh

From this line, it was understood that the username was "admin.

  if(document.getElementById("utb").value=="admin")

The next line in the JS code told that the password length should be 7.

if(document.getElementById("ptb").value.length!=7)

Now comes the interesting part. It can be seen in the JS code that an "if" statement is used to verify the entered password which has six conditions combined with logical AND (&&) operator. So I analyzed the first condition this way.

document.getElementById("ptb").value.charCodeAt(0) + document.getElementById("ptb").value.charCodeAt(1)==206

 It's worth mentioned here that the JavaScript "charCodeAt" function returns the Unicode value of the character at the specified index in a string.

This code tells that the sum of the Unicode values of the first and second characters of our password should be equal to 206. Let's have a look at the second condition.

document.getElementById("ptb").value.charCodeAt(1) + document.getElementById("ptb").value.charCodeAt(2) == 201

This condition says that the Unicode values of the first and second characters of our password should be equal to 201.

Rest of the four conditions follow the same pattern. The password could be easily calculated via simple plus, minus. But we had to calculate the password that started with «# as first two characters of the password.

So,

the Unicode of « is 171
the Unicode of # is 35

171 +  35 = 206

Following this pattern, let's try to find out the third character using the second condition which says that the Unicode values of the first and second characters of our password should be equal to 201.

We know the second character, don't we? The Unicode of second character is 35.

So,

 201 - 35 = 166

This tells us that the character at the Unicode 166 in the third character of required password which is "|".

So far the first three characters of our password are « # and |

Following this pattern, we could manually calculate the password but some of the characters were unprintable so it was better to calculate using small code.

1. 171
2. 35
3. 166
4. 18
5. 159
6. 21
7. 177

So I just used the JavaScript "fromCharCode" function which converts Unicode values into characters to calculate the password and then its MD5 hash.

Here is the little piece of JS code I wrote:

http://pastebin.com/raw.php?i=FU1wsPXw

 Here is the output:

0d6162bd63d6802283fa0c16514dc271

So this MD5 hash was the flag for this challenge.

 3. Multi-level (LFI, SQLi, Decoding, etc)

This challenge was fun to solve. Specially the last stage where the password hash needs to be decoded into plain-text. I will be very precise about explaining it because it's kind of lengthy.

It had different stages and a flag was provided at each stage.

Stage #1:

At first stage, I had to perform simple LFI. The application was designed in such a way that the name of child pages were mentioned in the URL and those pages were included into the parent page at run-time.

Here is the URL that I noticed at first:

/about.php?a=industrialization

After some attempts, I discovered that a config file (config.php) existed in a directory named "config" which was located in the parent directory of current location. So I simply used the following URL to read the contents of config file:

/about.php?a=../config/config.php

The output said:  "Ops, where is the salt?! Yes it is here...."

A salt was actually mentioned in an HTML comment which could be seen by viewing the source code of the page.

Stage #2:

/beer.php?id=1' union select 1,CONCAT_WS(CHAR(32,58,32),id,name,surname,username,password),3 from users where name="kelly" and surname="green" and 'x'='x

Here is the output:

22 : Kelly : Green : S0ZH8BR22J5 : UzA5T05UWTRkZnNhNzgwZnNkNmI3OGY2YmRzNmFmdDg3NmFzZDY1OGE=

So after entering this hash, the final stage was unlocked.

Stage #3:

In second stage, we extracted the password hash of Kelly Green. So in this last stage, the hash needed to be cracked/decoded and I was required to enter the plain-text password of Kelly Green.

This stage would have been fun if the hint was not provided right above the input field. The hint said:

As you can see, the dbms is MySQL. In this dbms the comments on tables are stored into the INFORMATION_SCHEMA db, inside the table TABLE. 

This hint made pretty obvious that the encoding or encryption algorithm was stored in the table comments. So I used the following query to extract the contents of the comment of table "users".

/beer.php?id=1' union select 1,table_comment,3 from information_schema.tables where table_schema=database() and table_name="users" and 'x'='x

Here is the output:

password = base64(base64(password) + salt)

 So I had the salt which I extracted in first stage and I had the password hash which I extracted in the second stage. And I had this algorithm. It took only a few seconds to decode the hash and get its plain-text.

The plain-text password (i,e. "KON568" was the third flag for this challenge.

Upon submitting the password, a GIF image was displayed on the page.

The MD5 checksum of that image was the final flag for this challenge.

2. Blind XPath Injection

This challenge was easy but it was time-taking. Anyone familiar with blind exploitation of such injections will understand why.

The goal was defined in the challenge description as follows:

Your goal: find the secret hidden among the information sent by a special customer.

This challenge had a small PHP application for a restaurant website. Two of the total three pages had nothing of a pen-tester's interest but the third page had a form for seat reservation. It has had a link to another page to check the status of a reservation by providing email and phone.

First thing I did was reserve a seat for myself using that reservation form and while doing so, I tested if any parameter was vulnerable which was not the case. But at least I reserved a seat for myself in "one of the most important restaurants in the world," as described in the challenge information.

Anyway after doing so, I opened the page to to check my reservation. The page had a form which looked like this:

URL: /checkreservation.php

POST data: phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='1

Negative:

URL: /checkreservation.php

POST data: phone=999-9999-9999&email=t3hg00n@yahoo.com' and '1'='2

Later I realized I could send the same parameters in GET request as well (not important but makes things a bit easier). Anyway, I started with exploiting it manually by using the xpath's "substring" function but soon I realized that it was going take an eternity this way. So I tried to use a python tool named "xcat". It worked but it was so slow that it took about 30 minutes to extract the information of first user in the document but the secret was not stored in the information of first user. What a disappointed that was! And it reached the 4th user, the session was expired; but the secret was not yet found. But it did help because now I knew the element names and I figured which element contained the required secret message. This was the structure of the XML document:

http://pastebin.com/raw.php?i=kEQdcGF7

So I wrote a little PHP script to extract only the text of "info" element which I believed contained the secret. So first I manually discovered the length of the text in "info" element and then used the script to extract the contents. I started from second user as I already knew that the info of first user didn't have the required secret and found the secret in the info of 7th user.

Here is the little script I wrote:

http://pastebin.com/raw.php?i=REiFeShx

Here is the output it generated:

 Before I show the final output, I must admit that I had a mini heart-attack when it reached at this point after about 20 minutes.

 MD5 hash of this secret (Giuseppe did a great job!) was the flag for this challenge.

1. Guess the Password (Side Channeling)

This challenge was misleading. The title was misleading plus it had only 100 points, so I thought how difficult could it be? Should be easy, so I tried to solve this at second number (after finishing the 50 points challenge) but gave up after spending about 30 minutes on it and moved to the next challenge (didn't want to waste time and solve as many challenges as possible in less time).

After solving all other challenges, I came back to this. The main page had a form with one input field which can be seen in the screenshot below:



I started with analyzing headers, cookies and HTML source expecting the password to be hidden somewhere but at first attempt, I couldn't find anything of interest. Then I thought maybe it's a simple brute-force challenge; maybe a common weak password is used. Having this thought in mind, I coded a little script and started brute-forcing using a list of most common 1000 passwords. Result? Disappointed.

Here is how the form request was submitted:

URL: /index.php
POST data: password=test

And here is the resulting page:

 I am not afraid or ashamed to admit that I had never heard of "side channeling" attacks before and I had never used one and that's the reason that even after spending 2 hours on this challenge, I could not figure it out. I must admit that I was annoyed.

Anyway, I checked the HTML source once again and found this interest comment there.

"?debug for DEBUGGING" - I started wondering what it could possibly mean. I included "debug" parameter in the URL and analyzed the source but it was the same with and without the parameter.

After trying many things using this hint, I tampered the password submitting request and sent the request as below:

URL: /index.php?debug
POST data: password=test

At first the result looked exactly the same. But after checking the source, I discovered that that was some addition content in the result; it was an HTML comment which can be seen in the screenshot below.

password=t

When I changed the letter 't' to something else, the time again became zero. I tried all characters on the keyboard and the time remained zero. After putting back 't' the time was again 0.1. At this point, I figured that the first letter of the password might be 't' because it's getting passed through checks and there must be some processing going on on the valid characters which takes some time hence the increment in time. So after that, I added one letter after 't' and tried password=ta but the time remained same i.e. 0.1. So once again I replaced 'a' with every character on my keyboard one after one and when finished upper and lower-case alphabets, I inputted password=t1 and this was the result:

Yes, an addition of 0.1 in the time. This made me believe that I was going in the right direction and this was indeed the right way to "GUESS" the password. But just to be sure, I checked the third character manually and now I had first three valid characters of the password i.e. "t1c".

Obviously I didn't know the length of the password. It could have been 100 even 1000 characters long, so I decided code a PHP script to automate the task and "GUESS" the password for me.

Here is the code of that PHP script:

http://pastebin.com/raw.php?i=HkFCU2K6

It was a little fun coding this one. Here is the output it generated:



 "t1ckt0ck_b00m" was the valid password and the MD5 hash of this password was the flag for this challenge.

So that was it. It was really fun solving some of these challenges and it was indeed a good learning experience.

About The Author

Sajjad is a penetration tester and security enthusaists. He is a co-founder of CATRAX and REFLUXES where he offers security testing services.