HackTheBox Cyber Apocalypse 2021 CTF - Web Challenge Walkthroughs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the web challenges from the hack the box cyber apocalypse 2021 ctf the first challenge we'll take a look at is inspector gadget so there were no files to download for this let's take a look at the description it says inspector gadget was known for having multitudes of tools available for every occasion can you find them all so we need to start the challenge let me launch the docker container we get the ip and port that we can connect to might take a little while to boot up so the challenge loaded and we have this page there's no links or anything on it we can see the beginning of the flag here and then we just have an animation in the background so we can do control and u to view the source and we'll notice right here that we have a comment uh which looks like part of the flag we can see that an underscore in it so there's part of the flag inspection and we have the chdb part already so well should we take a look let's have a look at the javascript and we'll see his useful information and also the css if we take a look in there we have can reveal so the full thing is uh hi the box inspection can reveal useful information so we just put that all together into a string submit it and we've got our first web flag the next web challenge we're taking a look at is called ministry place and we can see that the str is capitalized given as a hint it says let's read this website in the language of aliens or maybe not i'm not sure is that a typo or some kind of hint that i'm not getting but um so we have a server that we need to launch we have a downloadable part let's go and take a look at the downloadable part then so we have some different files we could download here i'm going to open this up in codium so we can have a look through the code we can also build this up the docker file so let's have a look here where's the challenge index.php all right before we have a look at the code let's launch this as well so we'll run the build docker script see it successfully builds it's called love talk i don't know i haven't actually done the love talk challenge maybe this is related to this challenge then and we can see that's launched it's all up and running it's on port 1337 so if we go now to localhost one three three seven and we'll get the same page that we'll get then if we go on the server side this is just handy it means that if there's any issues on the server side in terms of latency we don't need to worry about it it also means that we can potentially modify the code as well so if we wanted to add in more console.logs or something to have a look and see what's happening in the background for example if there's some kind of filter in place stripping out characters we might want to try and build up um we might want to try out some different encoding types and things like that to see how we can bypass it so by printing out what the server is actually seeing after it's done its validation after it's gone through its blacklist or whitelist whatever then we'll be able to see if our uh if we're getting close to our payload working um so that's all up and running let's have a look at the code and if we check the code here it looks like a classic lfi we can include a local file here so you can see that it's actually trying to use string replace to replace any dot slashes that we insert here and essentially what it's saying here is it wants us to provide a language either english or qw i don't actually know what i'm not too sure that is um it wants us to provide a language here anyway and if we don't provide a language it's gonna assign a random one out of those two and it's gonna strip any dot slash as we enter there so if we go and i mean we know that we have the flag in this directory so what we'd aim what we'd be aiming to do is let's go to the site and we select the language there so we'd be aiming to say dot dot slash dot dot slash flag and that's the file we want to include rather than the language php file but obviously these dot dot slashes are being excluded so running that is the same as running just equals flag which isn't doing much for us so we could go and have a look for some lfi filter bypass checks um you can do different encoding types and stuff you might want to try and encode the slashes um i'll show you the way that i solved this let's actually let's go over to burp suite first of all in burp sweep you see we have quite a lot of noise and burp suite here so i'm gonna update the scope let's go to our target and for now let's just say we only want this 127 address to be counted so we'll add that to the scope and then we can go to a proxy and in our http history we can just say that we only want to show in scope items and then it'll only show these items here and similarly if we wanted to only intercept those as well we can go to options and just say we only want to incept client requests if they're in scope for urls and scope and then we won't have to deal with that sort of stuff so yeah we could go and take one of these requests then send this to the repeater and go and play around with some different types of encoding here to see if we can get this to work the way i ended up solving this was to add in some some extra slashes so if we put in here dot dot slash dot dot slash we know that it's doing a string replace here let's go and take a look at an example so this is the example string replace so if we insert a string and it's dot dot dot dot slash slash dot dot dot dot slash slash it's going to see this dot dot slash and it's going to remove it and it's going to see this dot dot slash and it's going to remove it as well and we're going to be left with the with exactly what we want so let's go and test that out if we go to the repeater and send that off we get our fake flag for testing which is what we have right here which means we can go and have a go this on the server as well so let's i already have this up and running let's take a copy of the address and again select a language and we're going to replace this then with dot dot dot dot slash dot dot dot dot slash slash and then flag and then we get our flag the next challenge is called curl as a service and it says it's a brand new alien application built so that humans can test the status of their websites however it seems that the aliens are not quite got the hang of human programming and the application is riddled with issues so we can launch a docker container for this and we also have some files to download so let's go and take a look at the files i will admit that this challenge took me an embarrassingly long time to solve considering how simple the solution is but let's have a look through the code here so let's go back to the index.php here so there's a couple of routes we have a get request we can make to the home directory and that's going to call this curl controller at index and we have a post request to api curl which is going to call curl controller execute so let's go and have a look at the curl controller and we'll see in here then if we call index it's just going to call view it's basically going to display the page if we call execute which was by sending a post request to api curl then it's going to take in a post parameter which is ip and it's going to assign the url to equal and as long as that's been set it's then going to create this new command model with the url and then it's going to json encoder and call exec as well command exec so we can go in and have a look at the command model and see that in constructing here it's going to construct a command it's going to take in our url and it's going to append that to curl dash sl and it's going to wrap our url inside this escape shell command so you can see that i've got this print statement here this print statement wasn't actually here to begin with i put this here because since we have the docker file we can run this locally and i wanted to find out exactly how this escape shell command was treating or input and the best way to do that then is just to to print it out whenever the servers processed it or you could just create like a local php file to test out the same thing but um let's go in so it looks like some command injection here was my initial thinking that um i mean obviously we have this escape shell command but if we were able to append something to this curl command it'd be executed right down here um so if we were able to append something to list the directory we'd be able to see where the flag is or cut out the flag um but obviously we have to we would have to overcome this escape shell command so let's launch a docker instance and build the docker and we'll go and test this out and have a look a little bit further into the escape shell command so this is going to run on port 1337 let's go to let's go to the address 127.0.0.1 one three three seven and we have the curl prompt here so we could try and enter something in now if i try and enter in even just the ip address we get illegal characters detected so if we ctrl and u to go and have a look at the source and there's a javascript file here which we could looked at in codium as well because we have access to all the source code but if you're going to have a look at this essentially this is checking to make sure that it's a url so but obviously this is javascript so as long as we can modify the traffic with a proxy we don't need to worry about that so if we swap over to burb let's go into the http history we can see that we made the get request now it's not even attempted to make the post request because the client side validation failed so let's try and enter in an actual web address and you see that it didn't come back with any output but it looks like this the command went off okay we can see it here in the http history so if we send this to the repeater and now we can go and just play around with this so the reason i'd added the print here if we hit send and let's maximize the window so we can see it a little bit better so we have let me send off again with another line so we can see it comes back here with our command you can see it's added a backslash to the end of that um let's try and insert in here so we send off the ip and if we wanted to append to that and say we want to list the directory list of files in the directory see that's not actually come back let's try and url encode that and you can see that it's come back but it's it's added the backslashes before our and symbols so it's escaped those so whenever that runs in the terminal it's not going to it's not going to execute the ls command let's undo that so it was at this point that i started to look into the function if we go and take a look at this github you can see that we've got the curl section already but let me just scroll to the top it describes here the difference between escape shell command and escape shell arg where where the escape shell command will ensure the user can only execute one command but can specify an unlimited number of parameters can't execute a different command and escape shell arguments will ensure that the user can only pass one parameter to the command and can't specify more than one so let's go back down to our curl section there and we can see then with the curl example that although the escape shell command will ensure that we can't enter any additional commands after that we can pass any number of arguments to curl so in this example here they use the dash f which is i think will this upload is to try and upload the local password etc password file to example.com so if we if we controlled this site and we were able to access it we could upload that to our server the problem is in this case that we don't have an attacker controlled site which the the machine that we're testing is going to be able to connect back to because it's not going to have full internet access and we don't have any other machines on the local network which we have control over so i did play around with this for a while but didn't get anything working let me also just bring up some documentation from the official php docs and in here it explains that these various characters all of these different special characters and then also hex values between also these hex values will be escaped if they're not paired and um i think there was a warning somewhere yeah here's the warning so escape shell command should only be used should be used on the whole command string and still allows the attacker to pass an arbitrary number of arguments for escaping single arguments past this escape shell arg so so yeah at this point i decided to have a look at some other um curl commands that we have available some other flags should i say so if we go and have a look at the man curl docks i basically had a look through all of the different parameters that we could provide because at the moment it's passed it's passing in the sl which will make this silent i will note that if we go back and let's go back to burp and pass in dash v before we send that you'll see that it comes back with the curl version so we are able to retrieve data so i was playing around with that for a good while i didn't actually get anything i didn't actually get that working so let's have a look at another site here and if we have a look here for curl so if we have access to curl here's some things that we can do with it and particularly here is the option to read files where it says that we can just provide the file um prefix to load a file so um maybe you'll see where this is going i probably i wasted quite a lot of time trying to get other things working before moving on to this but if we actually just try here and load the flag with file instead of http let's try that now and you'll see we get back our fake flag so we'll be able to do that against the server note that even once i found this as well even once i found the correct command i still had some problems because i was sending an extra new line at the end so you don't get anything back so most of the things that was trying initially i was getting nothing back and because i had this new line here so just something worth bearing in mind if you have that new line you might not get back the the output that you expect but um that's it all working locally so now that we know it works locally let's go and test it out against the remote server we can we've already got the docker instance running so let's just copy that and again we can just put in well we can just we should just be able to put in the full thing here let's do file and then flag and then we get back our flag so yeah really easy challenge took me way longer than it should have but and that's how you solve it anyway the next challenge is called blitz prop and it says that it's a tribute for the legendary alien band called blitz prop and again we have some downloadable files and we can launch docker instance so i've already launched the docker instance i'm going to open this up now because the that i tried to build the docker container for the downloadable files and get things working locally first of all and it didn't have the same layout and things that were submitted weren't working so i'm not sure what the issue was just decided to work with the remote service here anyway which is fine but let's go and open up the code and take a look at it with the code open just before we actually dig into that let's let's test out the functionality so we have a box here which we can enter some text into and submit it so let's just try and submit a script i can't see where the cursor is or not um and just see if anything happens we submit that and we get a message by saying please provide us with the name of an existing song so we have these four songs here let's take a copy of that and paste that in and then we get hello guests thank you for letting us know let's see out of interest if we append something to that do we still get the same message back it looks like we do so as long as our text is is in there we'll we'll we'll uh meet the condition by the looks of it so let's just try and insert something after that as well and we submit that but there's no change anyway it's still saying thanks for letting us know so we could go and have a look in burp suite and have a look at the requests and see that it's actually sending this off as a json object with the song dot name parameter being set so let's send this to the repeater so if we want to go and play around with this later and see if we can inject more things we'll be able to easily do that here and with that out of the way doesn't allow as much other much other functionality there to test out so let's go and have a look at this code as well this is our index.html page um we don't really have too much else here so inside the challenge folder which is all that we're interested in we've got our roots with index.js and then we've got our static folders with javascript images and stuff like that and then just our index.html so only things of interest really are index.js and index.html so take a look at index.js and we'll see that we have some libraries being used here so path express plug and flat if we make a get request to the home directory it'll just resolve this views uh index html that we're just looking at and if we make a post request to api submit then ap which is what happens whenever we send off the song name as this json object then it's going to check to see if song.name includes one of those song names you can see that variable set here and if it does it's going to call pug.compile it's going to return a response with pug.compile and then print out hello user thanks for letting us know and it's setting the user to guest right here otherwise it'll just print this out to say please provide us with the name of an existing song so we need to have a look into this pug.com pile and see what it's doing i the first site i looked at here again was the hat tricks site just to see if um there was a cheat sheet here of some commands that we could enter so let's load that up and see what i initially tried so if you're gonna have a look at that there are a couple of commands we can try here there are various server side template injection commands for different types of libraries different languages and things like that so i went and tried to just see if it keeps loading the new section so it's moving my screen down where's it gone so i tried to just see if we could inject something like this in burp and i mean the problem is here that well we need to keep the song name in anyway the problem is obviously that it's not reflected back here anyway so we'd be hoping to see 49 but we needed to be reflected back i was i was at first i thought without looking at the code too closely i thought that we needed to add another parameter so a name which we would be able to add in the some code to execute because it was trying to load the name here obviously it comes back with guest but um so i was trying that to begin with didn't really get anywhere but if we let me go back here let's check out another link which was recommended to me by a teammate so as we can see here this article describes how to trigger rce into well-known template engines using a new technique called abstract syntax tree injection and the two libraries are um pug and handlebars so the first section talks about how to do this in handlebars let's go down skip straight down to the pug section and us there's quite a bit here you can read about it i'll skip a little bit down towards the actual vulnerability and we can see here so pug works as shown in the graph above unlike handlebars each process separate into a separate module okay in the compiler of pug there's a variable that stores a line number named pug debug line for debugging if no dot line value exists it's added to the buffer otherwise it's passed and it's always specified as an integer but we can insert a string into the node.line to ast injection and cause arbitrary code execution so this is the important bit we need to note this is what we need to do and it gives you it gives a breakdown of this showing how the pug.compile works so if we go back to our code this is what's being called here pug.compile so you can play around with this locally and see what and print this out and have a look um a little bit more what it's talking about it does give a proof of concept here which is a an example here at the bottom where they provide the url they're posting this to vulnerable we need to post it to api slash um song or something i can't remember what it was called and um then it basically sends off this json object where we have the proto block it's it's um requiring the child process and then executing a command and then they just specified a command in here to get a reverse shell so i basically just copied and pasted this and tried to make some changes to it so let's go and have a look at let's go and try that out so we need to put in our server address and port number here as the target url and then we also need to have api submit as the in the uri and just leave this as default but rather than tr what i initially tried to do here was just to cap flag.txt to see what had happened so let's just or just cap flag we know it's just called flag because it's um we have a local copy of it so we're just trying to do cat flag to begin with we also need to remember that we need to send off the song name so we need to add in here as well song dot name is equal to and then we need to get a valid song name so let's go and grab one of the song names the goose went wild and then all i'll do here is just print out the let's let's uh return this into a result so we'll say result is equal to request.post and then we'll print out result.text and see what we get back let's try and run that so it takes a little while to come back this is exactly what happened to me but it looks good because what we see here is that command failed can't open flag no such file or directory which means we've got execution we just unable we just um don't have the flag in that directory so we need to go and have a look around so what i tried to do now then is just the logical next step would be to change this to ls the problem is try and run this again now um the problem is it it'll run the command but it's not actually returning the output so then if we go and try and change this again and we can try and say ls to output save that again send it off and then if we save it to output we might be able to just go and open the output file in the browser and view it but we'll see that we can't do that because the permission is denied so what we can do is we could go and have a look around the site right so if we go and open up the source we could go and see well we've got the static folder why don't we try and write to static i'll go back and say write this to static slash output and if you try and run that again and it didn't return the output but that's a good sign that means it's completed the command successfully so now if we go and take a look at static slash output we'll see that it's actually returned the directory listing and the reason we weren't able to print flag well one of the reasons is because we didn't have the right name anyway so we could have potentially used just like flag with an asterisk instead but um even if we did cut it out it wouldn't actually return the output for us so we would want to cut it to oh we can just copy it so let's go and say um copy flag let me get the actual name of it so we can just copy it copy it to static flag and then rather than printing out result.text we could now make a get request to the same so we could uh you don't need that i'm just doing that so i can use the success message and we'll assign our flag is equal to requests dot get and then we'll make a get request to the target url plus static slash flag and we want to get the response text and then we want to print that out as well so now if we try and run that let me clear the screen a bit you can see it takes a little while to come back but we get back our flag hit the box polluted style the next challenge is called wild goose hunt and it says outdated alien technology has been found by the human resistance the system might contain sensitive information that could be of use to us or experts trying to find a way into the system can you help so again we have a docker container we can launch here which i've already got running and we can download the files locally as well so we'll launch a local docker instance to get things working locally first of all it can be quite a bit faster doing that and we can potentially modify the server side code as well if we want to see how our data is being processed so let's also open up the code as well and the first thing you probably notice here in the entry point it's setting up a [ __ ] database and it's inserted in there an admin with the password which the password is the flag so it looks like that's what we need to retrieve so before we look at the code any further let's just go and open up the site as well we can load up the page here and we have some links which don't appear to go anywhere so let's try and log in we've got the username password here we'll just put in admin admin and we get back login failed which we know is going to be the case because we didn't enter the flag as the password so if we went back and grabbed this fake flag instead and submit that as the password then we get login successful so it looks like the goal here is going to be sql injection on no sql injection in this case so we might go and try and play around with some of these parameters maybe we'll go over to burp suite and send it to the repeater so that we can easily play around with these parameters as well and that means we can try some different things in here and see what responses we get if we can trigger any errors and obviously we're going to want to go and have a look at some uh cheat sheets sql injection cheat sheets maybe check out port swigger i don't know how much stuff they've got around mongodb but um let's go back to the source code here anyway so we might want to go in here and have a look to see if there's anything that we're missing if we go in and have a look at the let's have a look index.js here and we can see it's also using pug here which was used on another challenge it looks like it's just used for the viewing um for the ui maybe um we have our [ __ ] database being connected to here the heroes is the name of it let's go and have a look at the models so we have this user.js model if we go over to actually index.js so this is where the bulk of our code is we have our get request which we can make to the home page it'll just return the index or we can post to api login and we submit the username and the password so it's returning this user object as you can see here is included from here it's returning a user object which contains a username and a password both type string and then it has a collection here user and this is set to export let's go back and take a look again and it's going to check then if it finds that user if the it comes back with a one then we'll get the successful otherwise we'll get login failed so at this point i would probably start googling around looking for [ __ ] db injection cheat sheets on previous ctf walkthroughs luckily my team member referred me to a walkthrough which should help with this challenge so i'm going to open that up now and if you're going to take a look at this right up there this is from the 2016 ctf and has a similar challenge so we have a login here um with mongodb on the back end and [Music] the solution they use here in order to bypass the login check is to pass in objects or arrays so let's go back and just take a copy of this and try and submit this in our repeater we need this is a username and if we send that off oh we get involved using a password because i didn't type in username correctly but if we type that incorrectly we get back login successful welcome back admin so that's great but obviously being logged in isn't too much use to us we actually need to be able to retrieve the flag and that's the exact same case with the article here so in this article they use some regex to perform blind sql injection and essentially the they loop through each possible character here and a password and then if it returns in this case a status code 302 then print out that character or print out the characters so far and keep doing that until you've got the full flag which they explain a little more here so they've also mentioned that some characters have been left out so they don't break their regex so i grabbed a copy of the script and went and made some updates to it so obviously updated the flag format and the address first to the local address that we're testing out and most of most mostly this is the same i changed the loop slightly because i noticed whenever testing is against the server it's quite slow and it didn't have any uppercase characters in it so i changed this to lowercase and we check all digits and also just check the underscore before um if you check the code here they check the underscore towards the end so they check every ascii letter lowercase and upcase and every digit before and all these other characters before they check the underscore which is most likely to come up in this flag so we check that first check all the low case check all the digits and then check the rest and each time we're sending off the greater payload so every time we find a character we're starting off by sending this and then we're looking for the next character and say we find that that's an a then we'll send off this and we just keep keep doing that until we get to the final curly brace and then we'll print out the flag at the end so let's run this against the local server first of all and you'll see it very quickly gets the flag back the fake flag for testing so now we want to grab the server address and we can just go and place that in our python code and run the script again and you'll see straight away it's not going to come back as quick as the local server did at first whenever i was running this against the server i wasn't sure if anything was happening at all so i had to go and update that the code to keep printing out the responses but it is running it just takes a little while to go through them and it takes a lot longer if you're checking for all the uppercase characters and checking for underscores after at the end so um i'm glad that that's not the case this time i'll speed up the process here let it run for a few minutes and then come back so yeah i left it running there took about 10 or 15 minutes to complete and then we got a flag i actually whenever i was solving this originally i saw the bef here and then just guessed that the rest was going to be a 0 r3 i just submitted that so it stopped the docker instance towards the end of it and that has been the wild gooseneck challenge the next challenge is called e3 and it says after many years where humans work under alien commands they have gradually been given access to some of their management applications can you hack this alien employee directory web app and contribute to the to the greater human rebellion so again we've got a docker container which you can start we've got a downloadable part to the challenge although this time we don't have source codes to challenge so let's open up the docker instance to take a copy of that and we'll go and load it here you can see that we've got this employee directory and we can search for a name so let's just test out the functionality but first of all we've got a leaderboard so if we go to the leaderboard we can see some different names in here so let's take one of these names and go back to the last page and search for it and you see we get the military staff member exists so if we search for a valid name we get uh it exists if not we it says that it doesn't exist so we could try and play around with some injection here but to get an idea what the challenge involves let's have a quick look at the source code here let's go and look at the let's go look at the file that came with it as well so we'll open up here military.xml and you can see we've got this xml document and the district id confidential is filled up with the staff and each staff member has a name and age a rank and kills and if we scroll through the various staff members here you'll see that we have another section and in this section some of the staff members have a self-destruct code where one of them has the first half of the flag and another has the second half of the flag so obviously our goal is going to be to try to retrieve this flag this is a local flag for testing but we're going to be testing out on the remote server anyway so we know we want to extract some additional data from an xml file so we're going to go and have a look at another cheat sheet here on xpath injection and when the page loads we see that we have a description here xpath injection is an attack technique used to exploit applications that construct xpath or xml path language queries from user supplied input to query or navigate xml documents so as usual we have various uh characters that we might want to try and enter various sample commands to try and identify if we have a vulnerability and if we look through this we'll find that in our case um we want to do some blind inject injection because if we go back here whenever we we have this leaderboard we know that we have some more data which isn't being displayed here we have the name we have the age the rank the kills but we also have more members and they have some of them have the self-destruct code but if we go back to entering some information here all we can do is check does a user exist or not if they exist it'll if they don't exist we'll say doesn't exist there and if they do exist it'll say does exist so even if we were able to inject something here we're not there's nowhere to produce our output to so if we were able to find something to get the flag it doesn't print anywhere to screen it just it just confirms for us whether the condition is true in this case the condition being whether or not the name exists so in that case we need to do some blind injection and if we go here there's some examples so i took one of the examples here being this substring command so let's grab the substring command and we're gonna provide this here so take this comment out so all this is doing is you can see that we're injecting here so we're using a single quote to inject our code in here as well and then we're giving a condition saying or and we're checking does the substring of in this case this is set to user because in their example let's go back to their example in their example this is a an xml document with the user data in it but in our case we have a self-destruct code that we want to use so let's take a copy of that and instead of user we'll say self-destruct code there and all we're checking is does the first character equal an a in this case and it shouldn't do we know what the first character should equal it should equal a c so let's actually put in a c first of all capital c that should be the beginning of our flag and then we submit that and we get the military staff member exists so what about if we try and see whether the first letter doesn't begin with a c maybe it begins with h for the box and we search that and we see okay and for some reason we see that it does exist here that doesn't make any sense i'm going to go and restart the server um this seems to be a bit temperamental i was playing around with it and this was happening earlier as well i've had to i mean there's no local copy for us to test this out on but i had to test this i had to restart this docker image so many times just due to problems whenever it um well sometimes due to me crashing a server but um okay let me try and load this again i'll take a copy of that i'm gonna paste this here and then i'm just gonna grab a copy of this exact string here so it shouldn't begin with h we know that so let's try and let's try and load this new page okay it all looks the same let's paste that in and this time we submit it and we get the staff member doesn't exist so yeah that's really strange let me just test that again so if we have c at the beginning we see we get exists if we try it with something else we'll try with a different character a and we get it doesn't exist if we change this now so we know that the second letter should be h so we can go ahead and change this and say we're checking the substring of the second letter and yep it does exist but if we try something else let's try and just put in six and we'll see that it doesn't exist so we could go through and we could do this with each of our values we have t which is going to be our third value and if it comes back that it exists we know that's correct if we put something else in again we know that it's going to come back and say it's not correct so we can keep doing this but obviously we can only do this so far and then we get to this stage we know that um oh it's number five is this is the curly brace so yeah we get we get this far and now all we know is that we have um chtb and our curly brace so what we're going to do is just treat this exactly like we did the last challenge where we used a script to keep looping through all the possible characters and that's essentially our blind injection technique to get back our flag and what's really handy is we have a script now written for the previous challenge so i just went and adapted that script slightly to work for this challenge so let's go and check that out let me take a copy of this address and let's open up exploit.py we need to paste this new address in here so if you remember the previous challenge then we had something very similar here so we know our initial fly begins with chtb so in this case in fact the count we're going to start from six or well i'll set this to length of just in case so it's more reusable we'll set it the length of flag plus one is going to be the count to begin with we don't want to reset the flag there so we have a flag set we have the url which we could go and verify here in burp and just see what's being sent off you can see it's going to api search and in this case as well the content type i have the content type set there to application slash json and it took me a long time to get the script working because i was just trying to send this post data as data here which you normally do when sending a post request and it took me a while to work out that you have this json keyword here which will actually convert this into the correct format for you so it actually i mean it took me maybe five or ten minutes to get to know how to extract the flag and then it took me about an hour to work out how to correctly get send the post requests off here so and that was unfortunate but uh it seems to be working okay now so we're gonna loop through all the characters we loop through the underscore first because it's likely to come up quite a bit and i have this set i have this set to uppercase just for testing actually but i'm going to try and set this to lowercase again i haven't actually got the full flag yet i'm trying to set this a lowercase and just hope that there's no uppercase characters in it like there wasn't in the last challenge because it'll take less time to do the blind injection and yeah it's gonna loop through it's gonna assign the post data to equal exactly what we just submitted there except each time it goes through it's going to use another character and then once it finds the right character so if the user exists it's going to update our flag it's going to update the count so the next time we loop around we'll be checking the substring of the next character and it'll just keep running just like in the last challenge it'll keep running until we get to the the end of the flag and then it'll print that out i'm actually going to update this to all ascii letters so we'll test it with lowercase and uppercase letters just first of all just to see whether it's needed so with that all set let's go and try and run the exploit okay jumped ahead a little bit here um i tried to run it and left record on while i went afk for like 20 minutes and came back to see that it crashed let me go back here so it crashed it got like 10 characters in lowercase characters before it crashed so i tried it again with testing capital letters found that h was sorry t was the first character in capitals so i inserted that here and we're now just running through this again i've inserted a sleep command to sleep in between each request to see if this helps it we've now got two characters but i yeah i tried restarting the server a good few times i think this is just some server issues because you'll remember that whenever we were trying to initially test this here we had to restart the server to even get the condition working so some server issues anyway hopefully we'll be able to get the rest of the flag here okay yes that crashed again so it's got stuck on you uh you won't have noticed it too much in the video there because i skipped through it but it got stuck on you for a good few minutes um so maybe there's some issues with the way i'm doing this but let me we know that we have th now didn't find e either lowercase or uppercase so i'm going to assume the next letter is going to be a 3 oh sorry the next number in this case so presumably after this we'll have an underscore let's just try and run this again quickly and just see if we get an underscore yeah testing underscore and it found that an unscore was correct there so i could keep looping through this and just you know keep doing this until it works it's kind of unfortunate that the server keeps crashing but i think the commands okay maybe something to do with the position here maybe i should be changing this okay yeah so it did crash out again i'm going to try maybe again when the servers are a little less busy later i might just try and keep things running in the background as well maybe extend the timeout connection timeout limit but um the solution definitely seems to be working anyway i mean we've been able to retrieve the first few characters so as long as we can continue in this fashion we should be able to get the rest as well okay so i left the program running for a while i ended up putting in a sleep delay of one second and also added in this try catch as well so that if it did miss out a character we didn't have to restart from the beginning again um and yeah got most of the flag here so we're right up to the end of the first part you'll see here that to get through this a little bit quicker what i was doing is rather than checking all the characters if i saw something like the letter l i would check for things like e three um oh a things that are likely to show up there and that kind of helped speed that up a bit the kind of semi manual process i've also updated the query here as well so this is a bit more specific so if we go back to our military xml you'll see that we have our first part of our flag and we've it's actually if we have a look at our districts we've got the first district and then we're in the second district so we've just specified here that we want to look at the second district and then in terms of staff we're looking at the third member of staff and then we're grabbing the self-destruct code so maybe that's uh helping cause less issues with the server as well but at this point we need to get the next part of the flag so i know there's an underscore here let me just run this just to show if we run python exploit so all we're passing is an underscore so it's detected that is correct so we can now put in underscore but i did then try and run through the all of the characters and didn't find the next part so we now need to move into the next section which is another district over and is a different staff member as well so this one's in the third district and is the second staff member so let's try and change this from two to three to three to two and then the next character rather than just looking for an underscore we'll be looking through all of the characters to find this so i'll come back once we find the next character okay so i end up just running through the rest of that and getting the full flag it did take a while i at the beginning i hadn't reset the index here so i was starting to count from the 22nd substring index which was causing some problems for a while i kept looping through and not getting any results um so i sort that out anyway just created a flag part one and um run through it and i also found that while i was running through it automatically i would run through it automatically and then while it was running through automatically you could go to the site and just try and input the most likely characters here and then if i got the most likely character right i would then just move on to the next character here and reset the script but anyway it took a lot longer than i would have liked particularly because of the throttling which seems to happen on the server side i'll be interested to see some other walkthroughs for this afterwards some other write-ups to see if if other people had similar problems with the server so yeah that's this challenge anyway i'm gonna move on to some other categories and try and get some more challenges done if there's time hopefully i'll get back and take a look at the das challenge and maybe some of these other web challenges which i didn't get to take a look at yet the final web challenge we're taking a look at is called bug report and it says they say humans shall not take control of any of their resources can you prove them wrong without letting them know so we've got some files to download we've got a docker instance to spawn as well let's go and take a look at this locally first of all the ctf actually ended last night i was working on this challenge and making good progress and i thought that well the timer said it was gonna end at 1am uk time and then suddenly it ended at 11 pm so it was like two hours shorter than i expected to be so unfortunately didn't get this one in time but i just wanted to come back and record this as a final challenge anyway so let's open up the code here and we'll start a docker instance as well we'll go and test out the site here [Music] and we've got this page report your bug we keep our system secure no humans should be able to gain access to our systems and take control over us report now any bugs you have found by placing the url in the field so we can still have the upper hand so we might want to try and just quickly enter in some different values to see what we can do we get that something went wrong try and put in a script and again something went wrong so we could have a look at the source code here of the page but we might as well just go and have a look at the server side source code as well in docker in uh coding so we have the challenge here we've got two files app.py and bot.py so let's take a look at app.py so we load the just go to the home page it'll load the index.html we can send a post request to api submit which is going to be this form field and whenever we do that it's going to take the url so let's go and have a look at in burp suite there as well we can see that the url is passed as a json object so we have here request.json.get and it's taken the url it's making sure then the url begins with http or https otherwise it will say something went wrong and if it does begin with http or https then we'll visit we'll get this visit report which is part of the bot file so let's go and take a look at the bot.py as well i mean see we have the selenium drivers imported whenever we visit whenever the visit report is called and and it takes in our url it's going to launch a browser with most of the protections disabled by looks of it it's running no sandbox headless etc it's going to call it's going to load the same page so it's going to load this page again and then it's going to set a cookie which is going to have our flag in it and then it's going to try and request the url that we provide it's going to wait for it and then it's going to finally return so let's go back here as well if you go back to app.py the other thing that we have is if we get a 404 it's going to return this value so we have a classic xss vulnerability here we are able to provide a url and the url that we provide is going to be opened by this selenium bot and there's no protections enabled on it and we know that before it's gonna set a cookie for this document which is the page that we're on and then it's gonna visit our site so we want to try and steal the cookie that it's just created by redirecting to a site that we control so we could go and play around with this then and put in some different values let's try and just put in first of all the same address so one three three seven and let's just say if we try and enter the same because we need to put http or https at the beginning in order to get back hopefully it'll come back and say thank you for the valuable submission if we go and have a look at docker we can see that that went through but we want to try and do something there's nothing to show that our code has been executed here we need to return something or do some kind of test to make sure that the cross-site scripting is working in the first place so let's go and work out exactly where the cross-site scripting vulnerability is if you go back to our app.py here you see there's only one point in which the value we enter the url that we provide is actually going to be written as an output and you can see here that it's actually inside html tags so if we trigger a 404 error it's going to print whatever url we provide there and that's the only way we can we can get that to reflect so let's go and let's go and test that out so we didn't get a script we didn't get anything popping up here as we wouldn't expect to but if we give a url which doesn't exist so let's say here i'll just put in here test and then submit that and we don't see anything but that should be causing the 404 on the victims machine or inside this inside the bot basically so in order for us to test that out let's just go to another tab and th this is the url that they'll be trying to load so let's just copy oops let's just copy that and you'll see that we get our xss there so we need to try and verify this is even working so one thing we could do is try to load a resource from this url and see if it comes up in the logs so rather than putting in a script here i'm going to put in let's do image source as equal to and we'll paste in this url and then just give it a different so we'll say success if the if the xss is successful then it's going to make a request to this success url as well so we'll just try and send that off click report and this is what we'll be running on the victims machine and you'll see that we get our 404 for the test and we provide that command with the image source and then right after that we get the get request for success so that means that whenever the victim is processing the url they load the url and then the xss successful causing them to also try to load an image from from themselves essentially but it's just a way of us testing to make sure that's working properly so there's a variety of ways we could retrieve the cookie from here one of the most common ways is to would just be to set the document.location so we'll say document.location is equal to and i'll just provide in in this case this would be the attacker url or the url of our server or domain that we want to send the cookie to in this case we'll just send it here we'll say a cookie is equal to and then provided document.cookie and that should print us out the cookie in our http logs you'll see here we have test cookie flag is equal to and it provided our local flag

Info

Channel: CryptoCat

Views: 3,536

Rating: undefined out of 5

Keywords: cyber apocalypse, #CyberApocalypseCTF21, hack the box, hackthebox, htb, hacking, wargames, challenges, capture the flag, ctf, web, inspector, ssti, xss, blind xss, xpath, xpath injection, nosqli, mongodb injection, sqli injection, sqli, ast, ast exploit, prototype pollution, brute force, command injection, escapeshellcmd, input validation, devtools, xss bot, html, js, css, infosec, security, cyber-security, kali, bug bounty, bug hunting, burp suite, web proxy, session hijacking, cyberchef, tutorial

Id: vqR4i730soY

Channel Id: undefined

Length: 60min 34sec (3634 seconds)

Published: Sat Apr 24 2021