Portail:SecurIMAG Ensimag IT security and hacking club/CTF/InsomniHack 2012/

De Ensiwiki
Aller à : navigation, rechercher

Security logo.png  Sécurité 

SecurIMAG

Web Challenges Write-Up

Plongée Léman

Description : "Non, mais ils se prennent pour qui ces pêcheurs du bout du lac? D'abord, on dit lac Léman et pas Lac de Genève, et comment ils se permettent de dire que ce sont eux les plus expérimentés? C'est scandaleux!! On va se venger en piratant leur site. Malheureusement on y connait rien nous, alors c'est à toi de le faire. Prouve-nous tes capacités en découvrant la clé que je sais est cachée quelque part... "

Purpose : "Trouvez la clé"

A small web site, with an interesting page "infos.php". On it, it's write that some informations about us are retains, like IP, UserAgent and current webpage.

.. but the informations displayed about UserAgent aren't filtered.

Vuln1: reading server files

On the webpage "sites.php", we see a link "sites.php?site=banane", and /banane exists. Yes, this is LFI.

After several attemps, we include ".htaccess" to know the openbasedir (/tmp) and excluded php functions.

http://epreuves2.insomni.hack:81/a6ba68dec36d2364ecd1037c116343509b64cf39/sites.php?site=.htaccess

.htaccess content

php_value auto_prepend_file "/var/www/a6ba68dec36d2364ecd1037c116343509b64cf39/always.php"
php_value open_basedir "/var/www/a6ba68dec36d2364ecd1037c116343509b64cf39:/tmp" 
php_value disable_functions "apache_get_modules,apache_get_version, apache_getenv,apache_note,
apache_setenv, disk_free_space,diskfreespace,dl,highlight_file,ini_alter,ini_restore,openlog,
passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, readfile,fopen,exec,
proc_open,proc_terminate, proc_get_status,popen,pcntl_exec"

Vuln2: writing to a file

With the HTTP 200 Response, we know that the server is running on a Debian Squeeze, by default, sessions informations are stored in "/tmp/sess_SESSID". The SESSID comes from the cookies "lacdegeneve".

So, we're able to execute arbitrary PHP code on the web server, by altering sessions logs with a malicious UserAgent (php code): SecurIMAG-2012-CTF-Insomnihack-web-leman.png

Back to vuln1

... , and including it by getting on sites.php?site=/tmp/sess_OURSESSION.

http://epreuves2.insomni.hack:81/a6ba68dec36d2364ecd1037c116343509b64cf39/sites.php?site=/tmp/sess_r79h5tjo5m0j6d14vtacrkfck7

Then, just list the current folder with read_dir, and you get a file named "ici_se_trouve_la_cle.txt".

Go to /ici_se_trouve_la_cle.txt and get the flag :).


Les amis du papet

Description : Salut mon gars, tu le sais certainement déjà, mais je suis le webmaster des Amis du Papet, un grand site dédié au fameux plat vaudois. J'ai entendu dire que les valaisans auraient envie de détruire mon site afin de promouvoir leur satanée raclette à la place! Pourrais-tu vérifier que mon site ne contient pas de failles? Merci, t'es un bon gars!

Purpose : Accéder à la zone admin et retrouvez le code s'y trouvant

Firstly, one form to login and another one to register; apparently, no SQLi type 1 here.

After the creation of an account (toto), we log in and view a small interface with a box to write a description, and 3 messages from the admin.

In the box we can use XSS (</textarea> to escape) and might get the admin session, but it was a wrong way.


Nevertheless, in the URL there is the "user" argument, with a md5 like value. With our login, it's "f71dbe52628a3f83a77ab494817525c6" = md5("toto").

So let's try md5("admin"), and get a description like "I forgot the password the last time, it was SoMePaSsWoRd".


Then, we have to connect to the admin zone, cause the couple admin/SoMePaSsWoRd doesn't work. After a few try, "/admin/" is the right directory. Log in with the previous couple, and get the flag :).

JavaScript

Description : "Alors là, j'ai trouvé un site bien bizarre... On m'a toujours dit que l'authentification en Javascript c'était nul, mais là j'y comprends rien. Tu pourrais m'aider à trouver le mot de passe? "

Purpose : "Découvrez le mot de passe"

Here, a simple webpage with a script tag. The Javascript code uses variables name like "Í", initialization like "~-~-[] ( = 2)", etc..

It's just generating a list of ASCII character (using javascript object), coding the authentication function. To retrieve it (quicker than hand-made), use a JS debugger, like the one include in FireBug :).

Texte Invisible

Description : "Salut, voici un petit défi pour toi. Une page web qui s'affiche à partir de rien... C'est magique? A toi de me prouver le contraire :) "

Purpose : "Trouvez la clé"

The webpage source was just "Some text", but "Some text and an another text" is showed (with Mozilla and Safari).

In fact, the RFC 5988 (Web Linking) was use, with "Link" tag in the HTTP 200 response. It's allowing the inclusion of a stylesheet, with a "body:after" for printing "and an another text", and a comment containing the flag.

On peut pas faire plus clair

On the page, three funny pictures and a text : "La réponse est logique..."

The answer was "logique".